History of 4.2.2.2. What's the story?

2010-02-14 Thread Sean Reifschneider
I've wondered about this for years, but only this evening did I start searching for details. And I really couldn't find any. Can anyone point me at distant history about how 4.2.2.2 came to be, in my estimation, the most famous DNS server on the planet? I know that it was originally at BBN,

Re: ATT Mind Boggles...

2010-02-14 Thread Fearghas McKay
On 14 Feb 2010, at 01:16, goe...@anime.net wrote: This is a bit more accessible, and free: http://www.hulu.com/watch/4163/saturday-night-live-ernestine Not if you are outside of the USA as the OP is... f

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Steve Ryan
I think around 10 years ago Slashdot had a few stories (and still do, actually) about how great these resolvers were. I think that propelled quite a bit of their growth and popularity. On 2/14/2010 1:16 AM, Sean Reifschneider wrote: I've wondered about this for years, but only this evening

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread John Orthoefer
Since I'm watching B5 again on DVD I was there at the dawning of the age of 4.2.2.1 :) We did it, and we I mean Brett McCoy and my self. But most of the credit/blame goes to Brett... I helped him, but at the time I was mostly working on getting out Mail relays working right. This

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Joe Provo
On Sun, Feb 14, 2010 at 02:16:30AM -0700, Sean Reifschneider wrote: I've wondered about this for years, but only this evening did I start searching for details. And I really couldn't find any. Can anyone point me at distant history about how 4.2.2.2 came to be, in my estimation, the most

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread John Levine
It was always pretty robust due to the BIND code, thanks to ISC, and the fact it was always IPV4 AnyCast. $ asp 4.2.2.2 # look it up in routeviews 4.0.0.0/9 ASN 3356, path 3549 - 3356 Wow, that's a heck of an anycast block. R's, John

Re: dns interceptors

2010-02-14 Thread Jason Frisvold
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote: i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate. You can always run your own local resolver... Or

Re: dns interceptors

2010-02-14 Thread Patrick W. Gilmore
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote: On Feb 13, 2010, at 4:58 PM, Randy Bush wrote: i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss

Re: dns interceptors

2010-02-14 Thread Jason Frisvold
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote: How does that help? It still sends port 53 requests to the authorities, which will be intercepted. Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the problem the local resolvers? Well, in either case, another

Re: dns interceptors

2010-02-14 Thread Larry Sheldon
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote: On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote: On Feb 13, 2010, at 4:58 PM, Randy Bush wrote: i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the

Re: dns interceptors

2010-02-14 Thread Patrick W. Gilmore
On Feb 14, 2010, at 12:53 PM, Jason Frisvold wrote: On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote: How does that help? It still sends port 53 requests to the authorities, which will be intercepted. Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the

Re: dns interceptors

2010-02-14 Thread charles
I run openvpn on my linux box to do exactly that. Already running apache/bind/postfix/xmpp with legacy Im bridges so adding openvpn was a logical next step. #protip run it on port 443. :) makes it much easier to get around firewalls. Even with deep packet inspection, SSL traffic is expected

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread John Palmer (NANOG Acct)
4.2.2.2 is stunted just like any other resolvers that use only the USG root. A more useful resolver is ASLAN [199.5.157.128] which is an inclusive namespace resolver which shows users a complete map of the internet, not just what ICANN wants them to see. - Original Message - From: Steve

Re: dns interceptors

2010-02-14 Thread Bill Weiss
Larry Sheldon(larryshel...@cox.net)@Sun, Feb 14, 2010 at 11:54:25AM -0600: On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote: On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote: On Feb 13, 2010, at 4:58 PM, Randy Bush wrote: i am often on funky networks in funky places. e.g. the wireless in

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Joachim Tingvold
On 14. feb. 2010, at 19.43, John Palmer (NANOG Acct) wrote: 4.2.2.2 is stunted just like any other resolvers that use only the USG root. A more useful resolver is ASLAN [199.5.157.128] which is an inclusive namespace resolver which shows users a complete map of the internet, not just what

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Brielle Bruns
On 2/14/10 11:43 AM, John Palmer (NANOG Acct) wrote: 4.2.2.2 is stunted just like any other resolvers that use only the USG root. A more useful resolver is ASLAN [199.5.157.128] which is an inclusive namespace resolver which shows users a complete map of the internet, not just what ICANN wants

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Stephane Bortzmeyer
On Sun, Feb 14, 2010 at 12:43:12PM -0600, John Palmer (NANOG Acct) nan...@adns.net wrote a message of 42 lines which said: A more useful resolver is ASLAN [199.5.157.128] which is an inclusive namespace resolver which shows users a complete map of the internet, There are many crooks which

Recommendations for router with routed copper gig-e ports?

2010-02-14 Thread Lorell Hathcock
All: I'm involved in a project where we are cutting over a WISP from being a single broadcast domain into the grownup real world of routing between tower nodes. Of course the equipment is all Mikrotik and the single broadcast domain was easy to implement, so that's why it was done this way.

Re: dns interceptors

2010-02-14 Thread John Levine
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the problem the local resolvers? Both, probably. Hotel networks often intercept all port 53 traffic not out of malice, but so that they won't get support calls from people whose PCs have poorly configured DNS often pointing

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Florian Weimer
* John Levine: It was always pretty robust due to the BIND code, thanks to ISC, and the fact it was always IPV4 AnyCast. $ asp 4.2.2.2 # look it up in routeviews 4.0.0.0/9 ASN 3356, path 3549 - 3356 Wow, that's a heck of an anycast block. You can do anycast with your IGP, too. 8-)

Re: Recommendations for router with routed copper gig-e ports?

2010-02-14 Thread Shon Elliott
We use Cisco WS-3560G-24-PS-S (Catalyst 3560G's with POE Ports). Provides POE on each port too to eliminate having to use POE bricks to radios. We actually give each AP it's own group. It's better to break them all up rather than keep them in their own broadcast domain, because from subscriber to

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Sean Reifschneider
On 02/14/2010 07:41 AM, Joe Provo wrote: I don't think anyone else can help you determine your estimaation... Sorry, I was being kind of flippant and paying homage to the Peggy Hill character in _King_of_the_Hill_. That is a question for folks at L3. Any publicly-sharable data might be

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Sean Reifschneider
On 02/14/2010 07:16 AM, John Orthoefer wrote: Since I'm watching B5 again on DVD Awesome. Thanks for taking the time to reply, I really enjoyed the story. Have fun with the B5. The only time I watched it was on a VHS borrowed from a friend. It was a 3'x3' cabinet full of them. :-) Sean

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Scott Howard
On Sun, Feb 14, 2010 at 1:19 PM, Sean Reifschneider j...@tummy.com wrote: Why conjecture?  Examining the /32s from inside and outside of 3356 I said conjecture because every person I found in my searches said things like I think it might be anycasted or they could be using anycast. Until this

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Mark Andrews
In message 182e6e76-f12a-41d9-800a-e5e40f3c3...@direwolf.com, John Orthoefer writes: Genuity/GTEI/Planet/BBN owned 4/8. Brett went looking for an IP that = was simple to remember, I think 4.4.4.4 was in use by neteng already. = But it was picked to be easy to remember, I think jhawk had put

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Patrick W. Gilmore
On Feb 14, 2010, at 5:17 PM, Mark Andrews wrote: In message 182e6e76-f12a-41d9-800a-e5e40f3c3...@direwolf.com, John Orthoefer writes: Genuity/GTEI/Planet/BBN owned 4/8. Brett went looking for an IP that = was simple to remember, I think 4.4.4.4 was in use by neteng already. = But it was

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Joe Abley
On 2010-02-14, at 17:17, Mark Andrews wrote: I don't care what internal routing tricks are used, they are still under the *one* external route and as such subject to single points of failure and as such don't have enough independence. Are you asserting architectural control over what Level3

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Richard Golodner
On Sun, 2010-02-14 at 17:20 -0500, Patrick W. Gilmore wrote: Besides, it is quicker / better to use your local ISP's RNS. If something goes wrong, you can fall back to OpenDNS or L3, and, of course, yell at the _company_you_are_paying_ when their stuff doesn't work. :) The best

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Mark Andrews
In message 10be7b64-46ff-46d8-a428-268897413...@hopcount.ca, Joe Abley writes : On 2010-02-14, at 17:17, Mark Andrews wrote: I don't care what internal routing tricks are used, they are still under the *one* external route and as such subject to single points of failure and as such don't

Re: Recommendations for router with routed copper gig-e ports?

2010-02-14 Thread Chuck Anderson
On Sun, Feb 14, 2010 at 02:41:51PM -0600, Lorell Hathcock wrote: 1 - AP network (need suggestion for cost effective gig-e switch) 2 to 4 - back haul ports 1 - internet port (on one out of every 4 towers or so) (and most likely fiber instead of copper) Does anyone have any

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Scott Howard
On Sun, Feb 14, 2010 at 2:17 PM, Mark Andrews ma...@isc.org wrote: I don't care what internal routing tricks are used, they are still under the *one* external route and as such subject to single points of failure and as such don't have enough independence. Where has Level 3 ever claimed that

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Patrick W. Gilmore
On Feb 14, 2010, at 5:43 PM, Mark Andrews wrote: In message 10be7b64-46ff-46d8-a428-268897413...@hopcount.ca, Joe Abley writes : On 2010-02-14, at 17:17, Mark Andrews wrote: I don't care what internal routing tricks are used, they are still under the *one* external route and as such

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Scott Howard
On Sun, Feb 14, 2010 at 2:37 PM, Richard Golodner rgolod...@infratection.com wrote:        Cisco tech support tells their customers (us) to use it when testing. Perhaps this is not such a good practice. No doubt because they are easier to remember than Cisco's own two public DNS resolvers :

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Mark Andrews
In message f1dedf9c1002141446p892aeacy74273f94d6e2a...@mail.gmail.com, Scott Howard writes: I'd also be interested in knowing where you consider the single points of failure for their announcement of 4/8 is, but that's probably for another thread... You mean you have never seen traffic

Re: Recommendations for router with routed copper gig-e ports?

2010-02-14 Thread Bret Clark
Chuck Anderson wrote: On Sun, Feb 14, 2010 at 02:41:51PM -0600, Lorell Hathcock wrote: 1 - AP network (need suggestion for cost effective gig-e switch) 2 to 4 - back haul ports 1 - internet port (on one out of every 4 towers or so) (and most likely fiber instead of copper) Does anyone

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Tony Tauber
I'll add to what Johno writes. I worked on the anycast routing side to the server side which he describes. The 4.2.0.0/16 prefix was set aside by John Hawkinson in our reservation system under the label Numerology since he had the wisdom to see that the numbers in themselves could be valuable.

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread John Orthoefer
At the time I was involved it did have an SLA, and was considered critical infrastructure for Genuitity customers. Once we started to deploy 4.2.2.1, we gave customers time to swap over, but we started turning off our existing DNS servers. One reason we did it was that we kept having to

Time out for a terminology check--resolver vs server.

2010-02-14 Thread Larry Sheldon
I thought I understood but from recent contexts here it is clear that I do not. I thought a resolver was code in your local machine that provide hostname (FQDN?), given address; or address, given host name (with assists to build FQDN). And I thought a server was a separate program, might be on

Re: History of 4.2.2.2. What's the story?

2010-02-14 Thread Patrick W. Gilmore
On Feb 14, 2010, at 6:55 PM, John Orthoefer wrote: At the time I was involved it did have an SLA, and was considered critical infrastructure for Genuitity customers. Once we started to deploy 4.2.2.1, we gave customers time to swap over, but we started turning off our existing DNS

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Rob Austein
At Sun, 14 Feb 2010 18:02:48 -0600, Laurence F Sheldon, Jr wrote: I thought I understood but from recent contexts here it is clear that I do not. I thought a resolver was code in your local machine that provide hostname (FQDN?), given address; or address, given host name (with assists to

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Scott Howard
A resolver is basically a client. There's two types of resolvers - recursive resolvers (that look after doing the full resolution themselves - starting at the root servers and working down), and stub resolvers which are only smart enough pass the entire request onto another server to handle. On

abuse reporting (was Re: Yahoo abuse)

2010-02-14 Thread J.D. Falk
On Feb 11, 2010, at 6:45 PM, James Hess wrote: That said, XML makes a terrible data interchange format for communications where humans are supposed to understand the message, using standard software (such as a legacy e-mail client). Exactly what we said when developing ARF. -- J.D. Falk

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Larry Sheldon
On 2/14/2010 6:10 PM, Rob Austein wrote: At Sun, 14 Feb 2010 18:02:48 -0600, Laurence F Sheldon, Jr wrote: I thought I understood but from recent contexts here it is clear that I do not. I thought a resolver was code in your local machine that provide hostname (FQDN?), given address; or

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Larry Sheldon
On 2/14/2010 6:21 PM, Scott Howard wrote: A resolver is basically a client. There's two types of resolvers - recursive resolvers (that look after doing the full resolution themselves - starting at the root servers and working down), and stub resolvers which are only smart enough pass the

RE: Recommendations for router with routed copper gig-e ports?

2010-02-14 Thread Eric Morin
I have found the MRV OS906 (6 port 10/100/1000/SFP + Eth OBM) to be a very cost effective and an extremely flexible device. It's a linux based device with a router shell but all forwarding is done in hardware (ASICs). It has a very flexible implementation of many L2 features (QnQ, inner or outer

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Scott Howard
On Sun, Feb 14, 2010 at 5:19 PM, Larry Sheldon larryshel...@cox.net wrote: It is possibly to run both Authoritative and Recursive server on the same IP, but it's generally not recommended for many reasons (the most simple being that of stale data if your server is no longer the correct

Re: Recommendations for router with routed copper gig-e ports?

2010-02-14 Thread Jason Lixfeld
The OS906 may be different than the OS912, but be warned that I had major issues with OS912 relating to LDP and OSPF. Constant crashes of both LDP and OSPF made the device totally unusable. We had to ship all 20 back to them. It was really messy. This was about 6 months ago, and their

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Larry Sheldon
On 2/14/2010 7:48 PM, Scott Howard wrote: On Sun, Feb 14, 2010 at 5:19 PM, Larry Sheldon larryshel...@cox.net wrote: It is possibly to run both Authoritative and Recursive server on the same IP, but it's generally not recommended for many reasons (the most simple being that of stale data if

RE: Recommendations for router with routed copper gig-e ports?

2010-02-14 Thread Eric Morin
I actually think the 912 is different then the 904 and 906, as I was discouraged from buying the 912, and I REALLY wanted the extra ports. That's not to say that the 904/906 doesn't have the same problems. I use it for a router with a bunch of connected networks, DHCP relay, and BGP. Other then

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Jon Lewis
On Sun, 14 Feb 2010, Larry Sheldon wrote: I understand that--but it the TTL is being managed correctly the server answering authoritatively ought to stop doing so when the TTL runs out, since it will not have had its authority renewed. That's not how things work. If you configure bind to be

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread James Hess
On Sun, Feb 14, 2010 at 7:55 PM, Larry Sheldon larryshel...@cox.net wrote: I understand that--but it the TTL is being managed correctly the server answering authoritatively ought to stop doing so when the TTL runs out, since it will not have had its authority renewed. The TTL can never run

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Larry Sheldon
On 2/14/2010 8:14 PM, Jon Lewis wrote: The glue and all of that stuff won't expire at TTL=0? No. Authoratative data on your server (a locally configured zone) doesn't require glue. I really should have scrapped that reply and started over--by the time I got to this part I realized that

Re: dns interceptors

2010-02-14 Thread Randy Bush
I run openvpn on my linux box to do exactly that. i am in the midst of setting up some openvpn servers now, westin, ashburn, tokyo, but westin first. having problems sorting in what --outform it wants the bleeping certs. randy

Re: dns interceptors

2010-02-14 Thread charles
Not familiar with --outform argument. Will have to look into it. Presume you are doing site to site/network to network? Or are you setting this up for end users to terminate to? I've done the latter many many times, but not net to net. Happy to provide docs if you/nanog like. I think that

Re: dns interceptors

2010-02-14 Thread Randy Bush
end user to network having probs with certs, i.e. what --outform it wants. not finding in docs. tried raw, but now guessing pem. same for client and server server ca.crt server.crt server.key client ca.crt client.crt client.key and i presume i have to dump all client.crt files

Re: dns interceptors

2010-02-14 Thread Larry Brower
Randy Bush wrote: end user to network having probs with certs, i.e. what --outform it wants. not finding in docs. tried raw, but now guessing pem. same for client and server server ca.crt server.crt server.key client ca.crt client.crt client.key and i presume i have to dump

Re: Time out for a terminology check--resolver vs server.

2010-02-14 Thread Mark Andrews
In message 6eb799ab1002141824s652c4f31od02cb750912a0...@mail.gmail.com, James Hess writes: Also, BIND implements the EXPIRE value in the SOA. But other DNS server software applications widely ignore this value, and the zone stays authoritative on all servers, no matter how much time

Re: dns interceptors

2010-02-14 Thread charles
Yes. Easy rsa is the way to go. They are normal certs. Check the scripts if you want to roll your own openssl wrapper scripts. --Original Message-- From: Larry Brower To: nanog@nanog.org Subject: Re: dns interceptors Sent: Feb 14, 2010 7:44 PM Randy Bush wrote: end user to network

Re: dns interceptors

2010-02-14 Thread Scott Howard
On Sun, Feb 14, 2010 at 7:29 PM, Randy Bush ra...@psg.com wrote: end user to network having probs with certs, i.e. what --outform it wants.  not finding in docs.  tried raw, but now guessing pem.  same for client and server Use the easy-rsa stuff and it will do all the hard work for you.

Re: dns interceptors

2010-02-14 Thread Randy Bush
having probs with certs, i.e. what --outform it wants. not finding in docs. tried raw, but now guessing pem. same for client and server Use the easy-rsa stuff and it will do all the hard work for you. http://openvpn.net/index.php/open-source/documentation/howto.html we have a pki we know

Re: dns interceptors

2010-02-14 Thread Randy Bush
having probs with certs, i.e. what --outform it wants. They are just normal cert's just normal certs can be text, pem, der, ... randy

Re: dns interceptors

2010-02-14 Thread Larry Brower
Randy Bush wrote: just normal certs can be text, pem, der, ... randy Randy, pem format.

Re: dns interceptors

2010-02-14 Thread Stefan Bethke
Am 15.02.2010 um 04:29 schrieb Randy Bush: and i presume i have to dump all client.crt files in the server's ../openvpn dir, but under what names? or does it just wantonly trust anyone under that ca? Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are acceptable,