Despite very old recommendations, the Iraqi state provider Uruklink.net
kept all of its name servers on the same subnet. Although this is
recognized as a poor design, many domain name server operators worldwide
do the same thing.
nic1.baghdadlink.net. 2D IN A 62.145.94.1
nic2.baghdadli
Please refrain from discussing anything!
http://news.com.com/2100-1028-994216.html
sigh.
This got me to thinking... there's no reason a centralized,
automated database would need to be "yea/nay". Perhaps it's time
for a "vulnerability info" RRTYPE. Of course, DNS might not be
the protocol of choice; focus on concept and ignore details. ;-)
One of the fields could be severity. Let
in addition to many public comments (cc'd to nanog or just sent there),
i received a number of private replies. here's a representative sample:
> problem is if the default is off you will probably not catch the
> clueless folk that you want to target, better would be default on and
> the clueful
Charles Sprickman wrote:
On Wed, 26 Mar 2003 [EMAIL PROTECTED] wrote:
One obvious problem with this would be that certain vendors prefer to
backport security fixes to older versions rather than test and release
new versions...so an insecure-looking version string may actually have
had fixes appli
Michael,
Do you have a packet sniff of the traffic?
Possibly a sniff of at least 1 packets?
HMMM..
I have seen some increase at our Corp DNS, but not that much...
drop me a note offlist with the sniff.. I would like to look at this..
Jim
> -Original Message-
> From: Support Team [mai
SL> Date: Thu, 27 Mar 2003 09:55:08 +1200 (NZST)
SL> From: Simon Lyall
SL> I'm also worried about any concept of trying to "force"
SL> people to upgrade, even with bind I use some features (namely
SL> an external named-xfer program) of bind v8 that arn't
SL> available in bind v9 . For the server
Very big thanks to Dennis over at XO for his fast reply.
It's getting taken care of now.
-Eric
On Wed, 26 Mar 2003, Eric Whitehill wrote:
> Date: Wed, 26 Mar 2003 16:41:08 -0500 (EST)
> From: Eric Whitehill <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Contact with Clue at XO?
>
>
>
On Wed, 26 Mar 2003 [EMAIL PROTECTED] wrote:
> One obvious problem with this would be that certain vendors prefer to
> backport security fixes to older versions rather than test and release
> new versions...so an insecure-looking version string may actually have
> had fixes applied.
I think you'
On Wed, 26 Mar 2003, E.B. Dreger wrote:
> PV> From: Paul Vixie
> PV> appealing, but i'm more concerned about MIM when fetching
> PV> update information than i am with simply registering package
> PV> version numbers, hosts, and e-mail addresses.
>
> Distribute BIND with public key. Updates are en
Sorry to populate the list with traffic like this...
Extended IP access list 120
deny ip 216.156.98.0 0.0.0.255 any (31607418 matches)
permit ip any any (43284187 matches)
(this is under 2 hours)
Which is a very, very bad thing.
Can someone from XO, please contact me about this?
15:33
PV> Date: 26 Mar 2003 21:22:59 +
PV> From: Paul Vixie
PV> having the server check for updates and issue local mail is
This assumes the configured notification email address remains
valid, and the recipient doesn't sort them into a "I'll get
around to it" folder.
PV> appealing, but i'm mor
i see that a lot of folks are responding publically. sorry to spawn a thread.
[EMAIL PROTECTED] (Niels Bakker) writes:
> So how much would this differ from `make install' running this shell script?
most bind installations are prefab -- the come with the operating system and
there's no "make ins
talk with Level3 Communication. They have excellent collo environment and
interconnection with different providers. Email me offline if you need a
contact person.
Cheers,
Moe
On Wed, 26 Mar 2003, K. Scott Bethke wrote:
>
> I need a recommendation for an IBX/colo environment located in the city
On Wed, 26 Mar 2003, Matt Buford wrote:
> I can not go into details, but suffice it to say DNS was just a symptom of
> other events, not the problem itself. DNS TTL on the global load balancing
> system was at 5 seconds and DNS load never rose above trivial.
Al Jazeera's main problem looks like
First I would like to note I am new to the list and group. It's nice to
be here.
Second, since Monday, March 24th at approx 1am we have been suffering
from "odd" DNS traffic to our two primary DNS servers. The odd traffic
has increased our bandwidth utilization by about 20 Mbps, which is
obviou
I can not go into details, but suffice it to say DNS was just a symptom of
other events, not the problem itself. DNS TTL on the global load balancing
system was at 5 seconds and DNS load never rose above trivial.
- Original Message -
From: "Sean Donelan" <[EMAIL PROTECTED]>
To: <[EMAIL P
Hi folks,
Anybody seen/heard of major outages/jams in Florida today ? I'm having some
pockets of resistance making it impossible for me to get to
Verisign, Sun, Reuters and AP from 65.87.x.x Appreciate any insights on
or off list.
thanks
Bert
> what i really want to talk
> about is: how to get people to upgrade their software when defects
> are found.
>
> sending out announcements through CERT and the bind-announce m/l
> isn't working.
Paul,
I seems to me that you are assuming that the problem is not enought
information gets to sys
On Wed, 26 Mar 2003 08:14:45 PST, [EMAIL PROTECTED] said:
>
> What are you talking about, DNS check option will work great for BIND,
> I mean if BIND can not get to the root server and thereafter to ISC, you
> don't have to worry about it getting hacked, its probably not connected to
Keep in
> CK> The way I see it, the issue isn't that there aren't enough
> CK> notifications of BIND vulnerabilities.
>
> Perhaps. But how much is enough? Current notification levels
> certainly get a fair number of admins to upgrade.
Feel free to elaborate on where you think gaps exist..
> CK> Adm
On Wed, 2003-03-26 at 10:52, Joshua Smith wrote:
>
> don't foget to include some useful/helpful comments regarding where to
> look for more info
Yes, the TXT record would inlcude the entire text of the security notice
(hmm... how big can TXT records be?) or at least a URL.
> i like this idea bet
JL> Date: Wed, 26 Mar 2003 13:00:57 -0500 (EST)
JL> From: Jon Lewis
JL> How hard would it be to have bind do some sort of secure.bind.isc.org
JL> query at start-up or perhaps even periodically and have it log lots of
JL> warnings or refuse to run if the query comes back and tells it the local
JL
: Correct. Human behavior won't change. The pain must exceed the
: inertia.
:
: Sounds familiar. Have we seen this before?
:
: Outdated bogon filters... old software... spam... needless route
: deaggregation... broken smurf filters... ingress/egress
: filtering...
router> en
Password:
router#
What are you talking about, DNS check option will work great for BIND,
I mean if BIND can not get to the root server and thereafter to ISC, you
don't have to worry about it getting hacked, its probably not connected to
internet. And dns already provides ability for ISC to have multiple
diverse
On Wed, 26 Mar 2003, E.B. Dreger wrote:
> CK> The way I see it, the issue isn't that there aren't enough
> CK> notifications of BIND vulnerabilities.
>
> Perhaps. But how much is enough? Current notification levels
> certainly get a fair number of admins to upgrade.
The majority of those who
CK> Date: Wed, 26 Mar 2003 11:59:02 -0500
CK> From: "Kuhtz, Christian"
CK> The way I see it, the issue isn't that there aren't enough
CK> notifications of BIND vulnerabilities.
Perhaps. But how much is enough? Current notification levels
certainly get a fair number of admins to upgrade.
CK>
Perhaps nameservers could periodically poll
dig @?.root-servers.net 2.2.9.is-vuln.bind. txt chaos
or something similar; I suggest using roots because DNS queries
to them are far less likely to be filtered. If corresponding RR
is valid (see below), shut down BIND, thus forcing admins to
> On 26 Mar 2003, Jeffrey C. Ollie wrote:
> > What I would like to see is somewhat of the idea in
> > reverse. The ISC would host a zone that would contain TXT records
with
> > security/bug advisories for every version:
>
> I really like this solution. It seems clean and unobj
"Jeffrey C. Ollie" <[EMAIL PROTECTED]> wrote:
>
> On Wed, 2003-03-26 at 09:24, Paul Vixie wrote:
> > so here's a proposal. we (speaking for ISC here) could add a config
> > option
> > (default to OFF) to make bind send some kind of registration packet
> > at boot
> > time, containing an e-mail
> The ISC would host a zone that would contain TXT records with
> security/bug advisories for every version:
I have a better idea.
ISC could set up a web page that would contain security/bug advisories for
every version. In order to make it easier for people to find this web
page, it could be
* [EMAIL PROTECTED] (Paul Vixie) [Wed 26 Mar 2003, 16:24 CET]:
> so here's a proposal. we (speaking for ISC here) could add a config option
> (default to OFF) to make bind send some kind of registration packet at boot
> time, containing an e-mail address for a technical contact for that server,
>
On 3/26/2003 at 08:31:40 -0800, Bill Woodcock said:
>
> On 26 Mar 2003, Jeffrey C. Ollie wrote:
> > What I would like to see is somewhat of the idea in
> > reverse. The ISC would host a zone that would contain TXT records with
> > security/bug advisories for every version:
>
>
On 26 Mar 2003, Jeffrey C. Ollie wrote:
> What I would like to see is somewhat of the idea in
> reverse. The ISC would host a zone that would contain TXT records with
> security/bug advisories for every version:
I really like this solution. It seems clean and unobjectionable,
we are AS 16592 (168.243.224.0/20) and are having problem reaching
168.234.136.0/24
the problem is very erratic, sometime we can reach them sometimes not (for
a 10-30 seconds period). problem arise from an opentransit.net hop as seen
in the following trace:
1<1 ms<1 ms<1 ms 20
On Wed, 2003-03-26 at 09:24, Paul Vixie wrote:
> so here's a proposal. we (speaking for ISC here) could add a config option
> (default to OFF) to make bind send some kind of registration packet at boot
> time, containing an e-mail address for a technical contact for that server,
> and perhaps its
I need a recommendation for an IBX/colo environment located in the city of
Washington DC itself.. I know Tyson/McLean is Paradise but looking for a
good solution actually IN the DC portion of lata 236
Our main goals are Transit availability from good providers (Worldcom is a
must) and good peeri
On Tue, 25 Mar 2003, Rodney Joffe wrote:
> We've noticed something we've never noticed before that became evident
> at 14:00 today... and which could be an isolated glitch at
> Verisign/Netsol, or it could be a sign of a larger problem looming.
Or perhaps it could be the result of perfectly norm
Thinking about it again, this would have additional advantage of
collecting statistics at where bind is being used (you get ips of the
servers) and what versions they are running. So even if they did not
update the software, you can still find out where they are by ip address
and if situation i
In a message written on Wed, Mar 26, 2003 at 04:09:06AM -0500, Sean Donelan wrote:
> For example, Al Jazeera had time-to-live set of their domain records set
> to 15 minutes, making them even more vulnerable to increasing the load
> on their systems. Of course, Al Jazeera had other problems too.
Personaly I'v not looked favorably at given my email to various lists,
although its probably way too late and everyone by now has it...
1. I have another idea though, during setup of the server ask for email
address of list administrator, but keep that on the server itself.
2. Setup some dns se
On 3/26/2003 at 15:24:18 +, Paul Vixie said:
[snip]
> so here's a proposal. we (speaking for ISC here) could add a config option
> (default to OFF) to make bind send some kind of registration packet at boot
> time, containing an e-mail address for a technical contact for that server,
> and
[EMAIL PROTECTED] (Sean Donelan) writes:
> What even stranger about the Iraqi state provider Uruklink.net is the DNS
> servers are now self-identifying with earlier (with known bugs) versions
> of BIND. Last week the Uruklink name server 62.145.94.1 was running
> 8.2.2-P5, but now is running 8.1
Watching the Iraqi Ururklink and Al Jazeera over the weekend what struck
me is how many different ways network administrators can mess up.
Although malicious actors have been trying (and succeeding) to exploit
vulnerabilities, the worst problems seem to be self-inflicted.
Administrators had used
44 matches
Mail list logo
