I've wondered about this for years, but only this evening did I start
searching for details. And I really couldn't find any.
Can anyone point me at distant history about how 4.2.2.2 came to be, in my
estimation, the most famous DNS server on the planet?
I know that it was originally at BBN,
On 14 Feb 2010, at 01:16, goe...@anime.net wrote:
This is a bit more accessible, and free:
http://www.hulu.com/watch/4163/saturday-night-live-ernestine
Not if you are outside of the USA as the OP is...
f
I think around 10 years ago Slashdot had a few stories (and still do,
actually) about how great these resolvers were. I think that propelled
quite a bit of their growth and popularity.
On 2/14/2010 1:16 AM, Sean Reifschneider wrote:
I've wondered about this for years, but only this evening
Since I'm watching B5 again on DVD
I was there at the dawning of the age of 4.2.2.1 :)
We did it, and we I mean Brett McCoy and my self. But most of the
credit/blame goes to Brett... I helped him, but at the time I was mostly
working on getting out Mail relays working right. This
On Sun, Feb 14, 2010 at 02:16:30AM -0700, Sean Reifschneider wrote:
I've wondered about this for years, but only this evening did I start
searching for details. And I really couldn't find any.
Can anyone point me at distant history about how 4.2.2.2 came to be, in my
estimation, the most
It was always pretty robust due to the BIND code, thanks to ISC, and
the fact it was always IPV4 AnyCast.
$ asp 4.2.2.2 # look it up in routeviews
4.0.0.0/9 ASN 3356, path 3549 - 3356
Wow, that's a heck of an anycast block.
R's,
John
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
How does that help? It still sends port 53 requests to the authorities,
which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
problem the local resolvers?
Well, in either case, another
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the
On Feb 14, 2010, at 12:53 PM, Jason Frisvold wrote:
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
How does that help? It still sends port 53 requests to the authorities,
which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
I run openvpn on my linux box to do exactly that. Already running
apache/bind/postfix/xmpp with legacy Im bridges so adding openvpn was a logical
next step.
#protip run it on port 443. :) makes it much easier to get around firewalls.
Even with deep packet inspection, SSL traffic is expected
4.2.2.2 is stunted just like any other resolvers that use only the USG root. A more useful resolver is ASLAN [199.5.157.128]
which is an inclusive namespace resolver which shows users a complete map of the internet, not just what ICANN wants them
to see.
- Original Message -
From: Steve
Larry Sheldon(larryshel...@cox.net)@Sun, Feb 14, 2010 at 11:54:25AM -0600:
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
On 14. feb. 2010, at 19.43, John Palmer (NANOG Acct) wrote:
4.2.2.2 is stunted just like any other resolvers that use only the USG root.
A more useful resolver is ASLAN [199.5.157.128] which is an inclusive
namespace resolver which shows users a complete map of the internet, not just
what
On 2/14/10 11:43 AM, John Palmer (NANOG Acct) wrote:
4.2.2.2 is stunted just like any other resolvers that use only the USG
root. A more useful resolver is ASLAN [199.5.157.128] which is an
inclusive namespace resolver which shows users a complete map of the
internet, not just what ICANN wants
On Sun, Feb 14, 2010 at 12:43:12PM -0600,
John Palmer (NANOG Acct) nan...@adns.net wrote
a message of 42 lines which said:
A more useful resolver is ASLAN [199.5.157.128] which is an
inclusive namespace resolver which shows users a complete map of the
internet,
There are many crooks which
All:
I'm involved in a project where we are cutting over a WISP from being a
single broadcast domain into the grownup real world of routing between tower
nodes. Of course the equipment is all Mikrotik and the single broadcast
domain was easy to implement, so that's why it was done this way.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or
is the problem the local resolvers?
Both, probably. Hotel networks often intercept all port 53 traffic not
out of malice, but so that they won't get support calls from people whose
PCs have poorly configured DNS often pointing
* John Levine:
It was always pretty robust due to the BIND code, thanks to ISC, and
the fact it was always IPV4 AnyCast.
$ asp 4.2.2.2 # look it up in routeviews
4.0.0.0/9 ASN 3356, path 3549 - 3356
Wow, that's a heck of an anycast block.
You can do anycast with your IGP, too. 8-)
We use Cisco WS-3560G-24-PS-S (Catalyst 3560G's with POE Ports). Provides POE on
each port too to eliminate having to use POE bricks to radios. We actually give
each AP it's own group. It's better to break them all up rather than keep them
in their own broadcast domain, because from subscriber to
On 02/14/2010 07:41 AM, Joe Provo wrote:
I don't think anyone else can help you determine your estimaation...
Sorry, I was being kind of flippant and paying homage to the Peggy Hill
character in _King_of_the_Hill_.
That is a question for folks at L3. Any publicly-sharable data might
be
On 02/14/2010 07:16 AM, John Orthoefer wrote:
Since I'm watching B5 again on DVD
Awesome. Thanks for taking the time to reply, I really enjoyed the story.
Have fun with the B5. The only time I watched it was on a VHS borrowed
from a friend. It was a 3'x3' cabinet full of them. :-)
Sean
On Sun, Feb 14, 2010 at 1:19 PM, Sean Reifschneider j...@tummy.com wrote:
Why conjecture? Examining the /32s from inside and outside of 3356
I said conjecture because every person I found in my searches said things
like I think it might be anycasted or they could be using anycast.
Until this
In message 182e6e76-f12a-41d9-800a-e5e40f3c3...@direwolf.com, John Orthoefer
writes:
Genuity/GTEI/Planet/BBN owned 4/8. Brett went looking for an IP that =
was simple to remember, I think 4.4.4.4 was in use by neteng already. =
But it was picked to be easy to remember, I think jhawk had put
On Feb 14, 2010, at 5:17 PM, Mark Andrews wrote:
In message 182e6e76-f12a-41d9-800a-e5e40f3c3...@direwolf.com, John
Orthoefer
writes:
Genuity/GTEI/Planet/BBN owned 4/8. Brett went looking for an IP that =
was simple to remember, I think 4.4.4.4 was in use by neteng already. =
But it was
On 2010-02-14, at 17:17, Mark Andrews wrote:
I don't care what internal routing tricks are used, they are still
under the *one* external route and as such subject to single points
of failure and as such don't have enough independence.
Are you asserting architectural control over what Level3
On Sun, 2010-02-14 at 17:20 -0500, Patrick W. Gilmore wrote:
Besides, it is quicker / better to use your local ISP's RNS. If
something goes wrong, you can fall back to OpenDNS or L3, and, of
course, yell at the _company_you_are_paying_ when their stuff doesn't
work. :)
The best
In message 10be7b64-46ff-46d8-a428-268897413...@hopcount.ca, Joe Abley writes
:
On 2010-02-14, at 17:17, Mark Andrews wrote:
I don't care what internal routing tricks are used, they are still
under the *one* external route and as such subject to single points
of failure and as such don't
On Sun, Feb 14, 2010 at 02:41:51PM -0600, Lorell Hathcock wrote:
1 - AP network (need suggestion for cost effective gig-e switch)
2 to 4 - back haul ports
1 - internet port (on one out of every 4 towers or so) (and most likely
fiber instead of copper)
Does anyone have any
On Sun, Feb 14, 2010 at 2:17 PM, Mark Andrews ma...@isc.org wrote:
I don't care what internal routing tricks are used, they are still
under the *one* external route and as such subject to single points
of failure and as such don't have enough independence.
Where has Level 3 ever claimed that
On Feb 14, 2010, at 5:43 PM, Mark Andrews wrote:
In message 10be7b64-46ff-46d8-a428-268897413...@hopcount.ca, Joe Abley
writes
:
On 2010-02-14, at 17:17, Mark Andrews wrote:
I don't care what internal routing tricks are used, they are still
under the *one* external route and as such
On Sun, Feb 14, 2010 at 2:37 PM, Richard Golodner
rgolod...@infratection.com wrote:
Cisco tech support tells their customers (us) to use it when testing.
Perhaps this is not such a good practice.
No doubt because they are easier to remember than Cisco's own two
public DNS resolvers :
In message f1dedf9c1002141446p892aeacy74273f94d6e2a...@mail.gmail.com, Scott
Howard writes:
I'd also be interested in knowing where you consider the single
points of failure for their announcement of 4/8 is, but that's
probably for another thread...
You mean you have never seen traffic
Chuck Anderson wrote:
On Sun, Feb 14, 2010 at 02:41:51PM -0600, Lorell Hathcock wrote:
1 - AP network (need suggestion for cost effective gig-e switch)
2 to 4 - back haul ports
1 - internet port (on one out of every 4 towers or so) (and most likely
fiber instead of copper)
Does anyone
I'll add to what Johno writes. I worked on the anycast routing side to
the server side which he describes.
The 4.2.0.0/16 prefix was set aside by John Hawkinson in our reservation
system under the label Numerology since he had the wisdom to see that
the numbers in themselves could be valuable.
At the time I was involved it did have an SLA, and was considered critical
infrastructure for Genuitity customers. Once we started to deploy 4.2.2.1, we
gave customers time to swap over, but we started turning off our existing DNS
servers.
One reason we did it was that we kept having to
I thought I understood but from recent contexts here it is clear that I
do not.
I thought a resolver was code in your local machine that provide
hostname (FQDN?), given address; or address, given host name (with
assists to build FQDN).
And I thought a server was a separate program, might be on
On Feb 14, 2010, at 6:55 PM, John Orthoefer wrote:
At the time I was involved it did have an SLA, and was considered critical
infrastructure for Genuitity customers. Once we started to deploy 4.2.2.1,
we gave customers time to swap over, but we started turning off our existing
DNS
At Sun, 14 Feb 2010 18:02:48 -0600, Laurence F Sheldon, Jr wrote:
I thought I understood but from recent contexts here it is clear that I
do not.
I thought a resolver was code in your local machine that provide
hostname (FQDN?), given address; or address, given host name (with
assists to
A resolver is basically a client.
There's two types of resolvers - recursive resolvers (that look after
doing the full resolution themselves - starting at the root servers
and working down), and stub resolvers which are only smart enough
pass the entire request onto another server to handle.
On
On Feb 11, 2010, at 6:45 PM, James Hess wrote:
That said, XML makes a terrible data interchange format for
communications where humans are supposed to understand the message,
using standard software (such as a legacy e-mail client).
Exactly what we said when developing ARF.
--
J.D. Falk
On 2/14/2010 6:10 PM, Rob Austein wrote:
At Sun, 14 Feb 2010 18:02:48 -0600, Laurence F Sheldon, Jr wrote:
I thought I understood but from recent contexts here it is clear that I
do not.
I thought a resolver was code in your local machine that provide
hostname (FQDN?), given address; or
On 2/14/2010 6:21 PM, Scott Howard wrote:
A resolver is basically a client.
There's two types of resolvers - recursive resolvers (that look after
doing the full resolution themselves - starting at the root servers
and working down), and stub resolvers which are only smart enough
pass the
I have found the MRV OS906 (6 port 10/100/1000/SFP + Eth OBM) to be a
very cost effective and an extremely flexible device. It's a linux based
device with a router shell but all forwarding is done in hardware
(ASICs). It has a very flexible implementation of many L2 features (QnQ,
inner or outer
On Sun, Feb 14, 2010 at 5:19 PM, Larry Sheldon larryshel...@cox.net wrote:
It is possibly to run both Authoritative and Recursive server on the
same IP, but it's generally not recommended for many reasons (the most
simple being that of stale data if your server is no longer the
correct
The OS906 may be different than the OS912, but be warned that I had
major issues with OS912 relating to LDP and OSPF. Constant crashes of
both LDP and OSPF made the device totally unusable. We had to ship
all 20 back to them. It was really messy. This was about 6 months
ago, and their
On 2/14/2010 7:48 PM, Scott Howard wrote:
On Sun, Feb 14, 2010 at 5:19 PM, Larry Sheldon larryshel...@cox.net wrote:
It is possibly to run both Authoritative and Recursive server on the
same IP, but it's generally not recommended for many reasons (the most
simple being that of stale data if
I actually think the 912 is different then the 904 and 906, as I was
discouraged from buying the 912, and I REALLY wanted the extra ports.
That's not to say that the 904/906 doesn't have the same problems. I use
it for a router with a bunch of connected networks, DHCP relay, and BGP.
Other then
On Sun, 14 Feb 2010, Larry Sheldon wrote:
I understand that--but it the TTL is being managed correctly the server
answering authoritatively ought to stop doing so when the TTL runs out,
since it will not have had its authority renewed.
That's not how things work. If you configure bind to be
On Sun, Feb 14, 2010 at 7:55 PM, Larry Sheldon larryshel...@cox.net wrote:
I understand that--but it the TTL is being managed correctly the server
answering authoritatively ought to stop doing so when the TTL runs out,
since it will not have had its authority renewed.
The TTL can never run
On 2/14/2010 8:14 PM, Jon Lewis wrote:
The glue and all of that stuff won't expire at TTL=0?
No. Authoratative data on your server (a locally configured zone) doesn't
require glue.
I really should have scrapped that reply and started over--by the time I
got to this part I realized that
I run openvpn on my linux box to do exactly that.
i am in the midst of setting up some openvpn servers now, westin,
ashburn, tokyo, but westin first. having problems sorting in what
--outform it wants the bleeping certs.
randy
Not familiar with --outform argument. Will have to look into it.
Presume you are doing site to site/network to network? Or are you setting this
up for end users to terminate to?
I've done the latter many many times, but not net to net. Happy to provide docs
if you/nanog like.
I think that
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all client.crt files
Randy Bush wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump
In message 6eb799ab1002141824s652c4f31od02cb750912a0...@mail.gmail.com, James
Hess writes:
Also, BIND implements the EXPIRE value in the SOA.
But other DNS server software applications widely ignore this value,
and the zone stays authoritative on all servers, no matter how much
time
Yes. Easy rsa is the way to go.
They are normal certs. Check the scripts if you want to roll your own openssl
wrapper scripts.
--Original Message--
From: Larry Brower
To: nanog@nanog.org
Subject: Re: dns interceptors
Sent: Feb 14, 2010 7:44 PM
Randy Bush wrote:
end user to network
On Sun, Feb 14, 2010 at 7:29 PM, Randy Bush ra...@psg.com wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you.
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you.
http://openvpn.net/index.php/open-source/documentation/howto.html
we have a pki we know
having probs with certs, i.e. what --outform it wants.
They are just normal cert's
just normal certs can be text, pem, der, ...
randy
Randy Bush wrote:
just normal certs can be text, pem, der, ...
randy
Randy,
pem format.
Am 15.02.2010 um 04:29 schrieb Randy Bush:
and i presume i have to dump all client.crt files in the server's
../openvpn dir, but under what names? or does it just wantonly trust
anyone under that ca?
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are
acceptable,
63 matches
Mail list logo
