I see constant issues where I can't resolve PTR's in Europe. I see no
reason for this except that a bunch of servers are either dropping my
packets or are permanently f**ked... any other clues gratefully accepted.
miche...@enigma:~/dultools$ dig +trace -x 213.219.184.23
; DiG 9.3.3 +trace -x
On Mon, Feb 15, 2010 at 10:22:17AM +0100,
Michelle Sullivan matt...@sorbs.net wrote
a message of 185 lines which said:
213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET.
213.in-addr.arpa. 86400 IN NS NS3.NIC.FR.
213.in-addr.arpa. 86400 IN NS
Stephane Bortzmeyer wrote:
On Mon, Feb 15, 2010 at 10:22:17AM +0100,
Michelle Sullivan matt...@sorbs.net wrote
a message of 185 lines which said:
213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET.
213.in-addr.arpa. 86400 IN NS NS3.NIC.FR.
-Original Message-
From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr]
Sent: Monday, February 15, 2010 12:58 PM
To: Michelle Sullivan
Cc: NANOG list
Subject: Re: in-addr.arpa server problems for europe?
On Mon, Feb 15, 2010 at 10:22:17AM +0100,
Michelle Sullivan
Michelle Sullivan wrote:
Stephane Bortzmeyer wrote:
On Mon, Feb 15, 2010 at 10:22:17AM +0100,
Michelle Sullivan miche...@sorbs.net wrote
a message of 185 lines which said:
213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET.
213.in-addr.arpa. 86400 IN
0n Mon, Feb 15, 2010 at 01:40:31PM +0100, Michelle Sullivan wrote:
Michelle Sullivan wrote:
miche...@enigma:~$ dig +trace +bufsize=512 -x 81.255.164.225
miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR
Curious, why did you modify 'bufsize' ?
-Alex
On Mon, Feb 15, 2010 at 01:40:31PM +0100,
Michelle Sullivan matt...@sorbs.net wrote
a message of 298 lines which said:
miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR
Bad test: the response is too small to exercice real size
problems. Try adding +dnssec to the dig
On Mon, Feb 15, 2010 at 08:30:43PM +0800,
Wilkinson, Alex alex.wilkin...@dsto.defence.gov.au wrote
a message of 14 lines which said:
Curious, why did you modify 'bufsize' ?
To test response size issues, probably. Broken middleboxes are the
scourge of the Internet.
On Mon, Feb 15, 2010 at 01:12:55PM +0100,
Mark Scholten m...@streamservice.nl wrote
a message of 36 lines which said:
Solution: stop using DNSSEC or checking for DNSSEC.
In 2010, it is a bit backward...
Wilkinson, Alex wrote:
0n Mon, Feb 15, 2010 at 01:40:31PM +0100, Michelle Sullivan wrote:
Michelle Sullivan wrote:
miche...@enigma:~$ dig +trace +bufsize=512 -x 81.255.164.225
miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR
Curious, why did you modify
-Original Message-
From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr]
Sent: Monday, February 15, 2010 2:01 PM
To: Mark Scholten
Cc: nanog@nanog.org
Subject: Re: in-addr.arpa server problems for europe?
On Mon, Feb 15, 2010 at 01:12:55PM +0100,
Mark Scholten
Stephane Bortzmeyer wrote:
On Mon, Feb 15, 2010 at 01:40:31PM +0100,
Michelle Sullivan matt...@sorbs.net wrote
a message of 298 lines which said:
miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR
Bad test: the response is too small to exercice real size
On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote:
If you can't get native IPv6 then use a tunneled service like
Hurricane Electric's (HE.NET). It is qualitatively better than
6to4 as it doesn't require random nodes on the net to be performing
translation services for you which
On 2/15/2010 7:00 AM, Stephane Bortzmeyer wrote:
If you have received this email in error, you are requested to
contact the sender and delete the email.
Done. I also erased the hard disk and reinstalled the OS.
Given that many Network Operator managers require that that crap be
appended to
I like Ben Goldacre's take on stupid email disclaimers:
READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from any
and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap,
clickwrap, browsewrap,
On Mon, 15 Feb 2010, Mark Scholten wrote:
I've seen problems that are only there because of DNSSEC, so if there is a
problem starting with trying to disable DNSSEC could be a good idea. As long
as not all rootzones are signed I don't see a good reason to use DNSSEC at
the moment.
You realise
Larry Sheldon wrote:
On 2/15/2010 7:00 AM, Stephane Bortzmeyer wrote:
If you have received this email in error, you are requested to
contact the sender and delete the email.
Done. I also erased the hard disk and reinstalled the OS.
Given that many Network Operator managers
On Mon, Feb 15, 2010 at 12:51 PM, JC Dill jcdill.li...@gmail.com wrote:
Larry Sheldon wrote:
IMHO, if your organization appends crap to your outbound messages then you
should maintain a separate crap-free email account for your personal email
or... we could all be adults and just forget these
On 2/15/10 9:21 AM, Tony Finch wrote:
On Mon, 15 Feb 2010, Mark Scholten wrote:
I've seen problems that are only there because of DNSSEC, so if there is a
problem starting with trying to disable DNSSEC could be a good idea. As long
as not all rootzones are signed I don't see a good reason to
-Original Message-
From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony
Finch
Sent: Monday, February 15, 2010 6:21 PM
To: Mark Scholten
Cc: nanog@nanog.org
Subject: RE: in-addr.arpa server problems for europe?
On Mon, 15 Feb 2010, Mark Scholten wrote:
I've
On Feb 15, 2010, at 1:01 PM, Seth Mattinen wrote:
On 2/15/10 9:21 AM, Tony Finch wrote:
On Mon, 15 Feb 2010, Mark Scholten wrote:
I've seen problems that are only there because of DNSSEC, so if there is a
problem starting with trying to disable DNSSEC could be a good idea. As long
as not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
It seems like this is something that will become a front and center
issue for help desks everywhere pretty
On Sun, 14 Feb 2010 18:59:56 EST, Steven Bellovin said:
Yes -- and as a reward for your expertise, you get to explain the
problem with a transparent DNS proxy to the judge. For bonus points,
explain it to a jury
The transparent DNS proxies aren't the problem. It's the translucent ones
On Mon, 15 Feb 2010, Charles N Wyble wrote:
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
Here's my summary of the situation (as of a couple of months ago) with
links to a few key resources:
* Stephane Bortzmeyer:
It is highly improbable that all these name servers are unreachable
from you. Therefore, I suspect that *content* is the issue. RIPE-NCC
zones are signed with DNSSEC. Are you sure you do not have a broken
middlebox which deletes DNSSEC-signed answers?
Ahem. dig's
* Charles N. Wyble:
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
For now, running (with a real resolver address instead of 192.0.2.1)
dig @192.0.2.1 $RANDOM. +dnssec
and checking if a certain percentage
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tony Finch wrote:
On Mon, 15 Feb 2010, Charles N Wyble wrote:
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
Here's my summary of the situation (as of a couple
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Florian Weimer wrote:
* Charles N. Wyble:
It seems like this is something that will become a front and center
issue for help desks everywhere pretty quick. :)
Why do you think so? Would you even notice if your webmail provider
switches to
* Igor Ybema:
We know we should push our provider to support native IPv6, and we do.
But this should not stop us using IPv6 6to4.
You should complain to the DENIC member you use, or perhaps the DENIC
ops team. Perhaps it's a simple mistake. NANOG isn't the right forum
for this.
On 2/15/2010 1:19 PM, JC Dill wrote:
I don't see the point you are trying to make in this discussion.
I can see that. I don't have a clue bat big enough for the task.
Are
you saying
Troll skat.
I'm out.
--
Government big enough to supply everything you need is big enough to
take
* Charles N. Wyble:
However they will certainly start complaining when DNS stops working. Of
course they won't know that's what the issue is, but they will call
saying the internet is down.
Okay, then the first way I mentioned for checking should be
sufficient. Well, perhaps make it
dig
Charles N Wyble wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
It seems like this is something that will become a front and center
issue for help
FWIW - .se did some consumer research during their
DNSSec launch. I belive there will be a new study.
Tests of Consumer Broadband Routers in Sweden (DNSSEC)
in 2008:
http://www.iis.se/docs/Routertester_en.pdf
Seriously, who puts recursive DNS resolvers behind consumer broadband
routers? 8-)
.
Here's an example. We have several pages worth of this.
20100215|15:17:58|1266268678678|164.128.32.11|3303|ORIGIN_CHANGE|95.79.192/19|34533|16387
20100215|15:18:58|1266268738707|164.128.32.11|3303|BGPMON_PATH
On 16/02/2010, at 5:03 AM, Tim Chown wrote:
On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote:
If you can't get native IPv6 then use a tunneled service like
Hurricane Electric's (HE.NET). It is qualitatively better than
6to4 as it doesn't require random nodes on the net to be
On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn)
emccr...@memphis.edu wrote:
Has anyone seen the strange activity from AS16387? Did they leak their
entire table? Our route collectors are showing AS16387 originating large
numbers of prefixes. It looks like we caught the
In message 87iq9ys512@mid.deneb.enyo.de, Florian Weimer writes:
* Stephane Bortzmeyer:
It is highly improbable that all these name servers are unreachable
from you. Therefore, I suspect that *content* is the issue. RIPE-NCC
zones are signed with DNSSEC. Are you sure you do not have a
There are other ASN changes as well as from other peers. Here are some just a
few minutes old.
Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS
20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387
20100215|17:11:13|1266275473309
In message 201002152312.o1fncfq8098...@drugs.dv.isc.org, Mark Andrews writes:
In message 87iq9ys512@mid.deneb.enyo.de, Florian Weimer writes:
* Stephane Bortzmeyer:
It is highly improbable that all these name servers are unreachable
from you. Therefore, I suspect that *content*
In message 017901caae69$5d9e8770$18db96...@nl, Mark Scholten writes:
-Original Message-
From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony
Finch
Sent: Monday, February 15, 2010 6:21 PM
To: Mark Scholten
Cc: nanog@nanog.org
Subject: RE: in-addr.arpa server
In message 4b798f1e.6080...@knownelement.com, Charles N Wyble writes:
All,
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
It seems like this is something that will become a front and center
issue for
-Original Message-
From: ma...@isc.org [mailto:ma...@isc.org]
Sent: Tuesday, February 16, 2010 12:37 AM
To: Mark Scholten
Cc: 'Tony Finch'; nanog@nanog.org
Subject: Re: in-addr.arpa server problems for europe?
In message 017901caae69$5d9e8770$18db96...@nl, Mark Scholten
On Mon, Feb 15, 2010 at 6:13 PM, Ernest Andrew McCracken (emccrckn)
emccr...@memphis.edu wrote:
There are other ASN changes as well as from other peers. Here are some just a
few minutes old.
Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS
20100215|17:11:13
|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS
20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387
don't know what to tell ya... I only see 2 routes from 16387 in
routeviews or other places I can view routing info :( This isn't some
off-by-one
In message 01c201caaead$b115eda0$1341c8...@nl, Mark Scholten writes:
-Original Message-
From: ma...@isc.org [mailto:ma...@isc.org]
Sent: Tuesday, February 16, 2010 12:37 AM
To: Mark Scholten
Cc: 'Tony Finch'; nanog@nanog.org
Subject: Re: in-addr.arpa server problems for
I don't know if it's material as most DNS stuff is over my head, but
Geoff Houston has written about the in-addr.arpa situation in the most
recent edition of his Internet Society ISP Column
http://isoc.org/wp/ispcolumn/?p=246
--
---
On 16/02/2010, at 7:34 PM, Mikael Abrahamsson wrote:
On Tue, 16 Feb 2010, Nathan Ward wrote:
You are very unlikely to get traffic from Teredo, because:
1) Windows only asks for if it has non-Teredo IPv6 connectivity
Please don't just say windows as the different versions of windows
On Tue, 16 Feb 2010, Nathan Ward wrote:
XP won't ask for unless it has non-Teredo connectivity though I don't
think.
That doesn't compute considering all the XP machines with Teredo addresses
that asked for my only content.
On 16/02/2010, at 7:47 PM, Mikael Abrahamsson wrote:
On Tue, 16 Feb 2010, Nathan Ward wrote:
XP won't ask for unless it has non-Teredo connectivity though I don't
think.
That doesn't compute considering all the XP machines with Teredo addresses
that asked for my only content.
On Tue, 16 Feb 2010, Nathan Ward wrote:
Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so
instead used Teredo, or, any number of scenarios.
I think their only IPv6 connectivity was Teredo (for instance, they're
behind NAT), and thus they used it to get the IPv6 only
Mark Andrews wrote:
In message 87iq9ys512@mid.deneb.enyo.de, Florian Weimer writes:
* Stephane Bortzmeyer:
It is highly improbable that all these name servers are unreachable
from you. Therefore, I suspect that *content* is the issue. RIPE-NCC
zones are signed with DNSSEC. Are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Andrews wrote:
In message 4b798f1e.6080...@knownelement.com, Charles N Wyble writes:
All,
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
It seems like
52 matches
Mail list logo