On 11/5/07, Eliot Lear <[EMAIL PROTECTED]> wrote:
>
> Cough. So, how much is that NXDOMAIN worth to you?
So, here's the problem really... NXDOMAIN is being judged as a
'problem'. It's really only a 'problem' for a small number of
APPLICATIONS on the Internet. One could even argue that in a
web-
David Conrad wrote:
>
> On Nov 5, 2007, at 2:13 PM, Bora Akyol wrote:
>> Do common endpoints (Windows Vista/XP, MacOS X 10.4/5) support DNSSEC
>> Validation? If not, then do people have a choice?
>
> Yes and no.
Of course, nobody supports the "Evil bit" today, so some change would be
necessary on
On 2007-11-05-10:51:58, Gregory Boehnlein <[EMAIL PROTECTED]> wrote:
> I'm considering dropping Cogent completely [...]
Always a good idea.
> 1. Level 3
> 2. MCI/Verizon
> 3. AT&T
>
> I'm looking for comments from actual customers of the above providers in
> relation to;
>
> 1. Network reliabi
Am 05.11.2007 um 17:16 schrieb Stephane Bortzmeyer:
3) Provide DNS recursors which do the mangling *and* block users,
either by filtering out port 53 or by giving them a RFC 1918 address
with no NAT for this port.
I've seen 1) and 2) in the wild and I am certain I will see 3) one day
or the ot
On Nov 5, 2007, at 9:51 AM, Gregory Boehnlein wrote:
I'm considering dropping Cogent completely out of my transit mix, as
the number of outages and problems they have been experienced over
the past
year has reached an unacceptable level. It has gotten to the point
that we
their BGP
> Mark,
>
> On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote:
> > All you have to do is move the validation to a machine you
> > control to detect this garbage.
>
> You probably don't need to bother with DNSSEC validation to stop the
> Verizon redirection. All you need do is run a cach
Mark,
On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote:
All you have to do is move the validation to a machine you
control to detect this garbage.
You probably don't need to bother with DNSSEC validation to stop the
Verizon redirection. All you need do is run a caching server
In article <[EMAIL PROTECTED]> you write:
>
>On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
>> What affect will Allegedly Secure DNS have on such provider
>> hijackings, both of DNS and crammed-in content?
>
>If what Verizon is doing is rewriting NXDOMAIN at their caching
>servers, DNSSEC will
In article <[EMAIL PROTECTED]> you write:
>
>On Sun, 4 Nov 2007 11:52:11 -0500 (EST)
>Sean Donelan <[EMAIL PROTECTED]> wrote:
>
>> I just wish the IETF would acknowledge this and go ahead and define a
>> DNS bit for artificial DNS answers for all these "address correction" and
>> "domain parking"
On Nov 5, 2007, at 2:13 PM, Bora Akyol wrote:
Do common endpoints (Windows Vista/XP, MacOS X 10.4/5) support DNSSEC
Validation? If not, then do people have a choice?
Yes and no.
If you run your own caching server and that caching server supports
DNSSEC and you enable DNSSEC and set up/maint
Do common endpoints (Windows Vista/XP, MacOS X 10.4/5) support DNSSEC
Validation? If not, then do people have a choice?
Regards
Bora
On 11/5/07 11:54 AM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote:
>
> On Mon, 5 Nov 2007 11:17:29 -0800
> David Conrad <[EMAIL PROTECTED]> wrote:
>
>> On
David Conrad wrote:
>
> As an aside, I note that Verizon is squatting on address space allocated
> to APNIC. From the self-help web page offered to opt out of this
> "service" (specific to the particular hardware customers might be using,
> e.g., http://netservices.verizon.net/portal/link/help/i
On Nov 5, 2007, at 11:54 AM, Steven M. Bellovin wrote:
On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
What affect will Allegedly Secure DNS have on such provider
hijackings, both of DNS and crammed-in content?
If what Verizon is doing is rewriting NXDOMAIN at their caching
servers, DNSSEC wi
On Mon, 5 Nov 2007 11:17:29 -0800
David Conrad <[EMAIL PROTECTED]> wrote:
> On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
> > What affect will Allegedly Secure DNS have on such provider
> > hijackings, both of DNS and crammed-in content?
>
> If what Verizon is doing is rewriting NXDOMAIN at th
On Mon, 5 Nov 2007 17:16:11 +0100
Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote:
>
> On Mon, Nov 05, 2007 at 10:54:05AM -0500,
> Andrew Sullivan <[EMAIL PROTECTED]> wrote
> a message of 29 lines which said:
>
> > One could argue that it is less evil to do this at recursive
> > servers, becaus
On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
What affect will Allegedly Secure DNS have on such provider
hijackings, both of DNS and crammed-in content?
If what Verizon is doing is rewriting NXDOMAIN at their caching
servers, DNSSEC will _not_ help. Caching servers do the validation
an
I think ICANN should probably come out and specify that doing
wildcard matchin on TLD delegations is Not A Good thing.
You mean like http://www.icann.org/committees/security/sac015.htm ?
Regards,
-drc
Hi,
Based on the procedures they document to opt-out, doesn't look like
Sitefinder-like authoritative wildcarding. Looks more like caching
server NXDOMAIN rewriting. If so, easy to get around: just run your
own caching server. Also means you can't defeat this using DNSSEC
(if it was a
On Mon, Nov 05, 2007 at 11:52:02AM -0500, Patrick W. Gilmore wrote:
> authority for a TLD is bad, because most people don't have a choice of
> TLD. (Or at least think they don't.)
I don't think that's the reason; I think the reason is that someone
who needs to rely on Name Error can't do it, i
Could be attenuation limit. Try adding 10db
-Original Message-
From: Sebastian Ganschow <[EMAIL PROTECTED]>
Sent: 05 November 2007 15:09
To: nanog@merit.edu
Subject: STM-1 Connection between Cisco LS1010 an Marconi ASX-200BX
Hi,
sorry for this little OffTopic.
We've got a brand new ST
When Verisign hijacked the wildcard DNS space for .com/.net, they
encoded the Evil Bit in the response by putting Sitefinder's IP
address as the IP address. In theory you could interpret that as
damage and route around it, or at least build ACLs to block any
traffic to that IP address except for
On Sun, 4 Nov 2007 11:52:11 -0500 (EST)
Sean Donelan <[EMAIL PROTECTED]> wrote:
> I just wish the IETF would acknowledge this and go ahead and define a
> DNS bit for artificial DNS answers for all these "address correction" and
> "domain parking" and "domain tasting" people to use for their keen
On Nov 5, 2007, at 10:54 AM, Andrew Sullivan wrote:
On Sun, Nov 04, 2007 at 08:32:25AM -0500, Patrick W. Gilmore wrote:
A single provider doing this is not equivalent to the root servers
doing it. You can change providers, you can't change "." in DNS.
This is true, but Verisign wasn't doing
From: Gregory Boehnlein
>
> Good morning,
> I'm considering dropping Cogent completely out of my
> transit mix, as the number of outages and problems they
> have been experienced over the past year has reached an
> unacceptable level. It has gotten to the point that we
> their BGP session
On Nov 5, 2007, at 7:40 AM, Joe Greco wrote:
Reinventing the DNS protocol in order to intercept odd stuff on the
Web
seems to me to be overkill and bad policy. Could someone kindly
explain
to me why the proxy configuration support in browsers could not be
used
for this, to limit the scope
What affect will Allegedly Secure DNS have on such provider
hijackings, both of DNS and crammed-in content?
[Assuming we ever get to such; I know ASD is in line to deploy just
after perpetual motion and honest politicians..]
--
A host is a host from coast to [EMAIL PROTECTED]
& no one will t
On Mon, Nov 05, 2007 at 10:54:05AM -0500,
Andrew Sullivan <[EMAIL PROTECTED]> wrote
a message of 29 lines which said:
> One could argue that it is less evil to do this at recursive
> servers, because people could choose not to use that service by
> installing their own full resolvers or whatev
Have only had experience of Level3 & MCI/Verizon in the UK
I prefer Level3 due to the following...
Scale of the Network
Host lots of big content providers across the Globe
Very few outages (1 in 12months) on the UK backbone
Customer support was very good
Always an account manager to assist with
Andrew Sullivan (andrew) writes:
>
> The last time I heard a discussion of this topic, though, I heard
> someone make the point that there's a big difference between
> authority servers and recursing resolvers, which is the same sort of
> point as above. That is, if you do this in the authority
We had the same issues with Cogent .. I feel your pain...
level(3) has always been good for us - very few issues and their support
has been great from our perspective.
MCI/Verizon did not work well for us at all - their network was solid
and customer service wasn't too bad ... our problem was th
On Sun, Nov 04, 2007 at 08:32:25AM -0500, Patrick W. Gilmore wrote:
>
> A single provider doing this is not equivalent to the root servers
> doing it. You can change providers, you can't change "." in DNS.
This is true, but Verisign wasn't doing it on root servers, IIRC, but
on the .com and .
Good morning,
I'm considering dropping Cogent completely out of my transit mix, as
the number of outages and problems they have been experienced over the past
year has reached an unacceptable level. It has gotten to the point that we
their BGP session is shutdown for longer periods than it
Hi,
sorry for this little OffTopic.
We've got a brand new STM-1 Connection between 2 of our POPs. The
Problem is, we're not able to put it into service.
On Side A we've got a Cisco Lightstream 1010 ATM-Switch with a 155SM PAM
Modul. Side B is a Marconi ASX-200BX with a NM-4/155SMIRE Module.
T
> Sean,
> >>
> >> Yes, it sounds like the evil bit. Why would anyone bother to set it?
> >
> > Two reasons
> >
> > 1) By standardizing the process, it removes the excuse for using
> > various hacks and duct tape.
> >
> > 2) Because the villian in Bond movies don't view themselves as evil.
> > Goo
34 matches
Mail list logo