Re: rpki vs. secure dns?

On Sun, Apr 29, 2012 at 11:28:58AM -0400, Jennifer Rexford wrote a message of 37 lines which said: > How does this interact with the presence of certificates for > supernets, though? That is, suppose an ISP creates a legitimate ROA > for 12.0.0.0/8, after ensuring that all of its customers ha

Re: rpki vs. secure dns?

On Mon, Apr 30, 2012 at 09:41:51AM -0400, Russ White wrote a message of 60 lines which said: > Neither a DNS based solution nor the RPKI will resolve path attacks, I want to be sure of the terminology: what is deployed presently is the bundle RPKI+ROA. As their name say, ROA can only be used

Re: Vixie warns: DNS Changer ?blackouts? inevitable

On Wed, May 23, 2012 at 03:10:38PM +0300, Frank Habicht wrote a message of 13 lines which said: > Is there anywhere a page where one can type an ASN or a CIDR block > and then the whois contacts get a list of IPs that still contact the > unintended servers? See

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On Tue, May 29, 2012 at 12:21:10AM +0530, Anurag Bhatia wrote a message of 28 lines which said: > I know few registry/registrars which do not accept both (or all) > name servers of domain name on same subnet. Since my employer is one of these registries, let me mention that I fully agree with

Re: rpki vs. secure dns?

On Mon, May 28, 2012 at 10:01:59PM +, paul vixie wrote a message of 37 lines which said: > i can tell more than that. rover is a system that only works at all > when everything everywhere is working well, and when changes always > come in perfect time-order, Exactly like DNSSEC. So, DNSSE

Re: rpki vs. secure dns?

On Mon, May 28, 2012 at 08:59:28PM +, Paul Vixie wrote a message of 43 lines which said: > ROVER expects that we will query for policy at the instant of > need. that's nuts for a lot of reasons, one of which is its > potentially and unmanageably circular dependency on the acceptance > of a

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On Mon, May 28, 2012 at 06:56:29PM -0500, Brett Frankenberger wrote a message of 15 lines which said: > How does your employer know if two nameservers (two IP addresses) are > on the same subnet? The current heuristic for IPv4 is "belongs in the same /28" (and /64 for IPv6). Otherwise, Mark A

Re: Open DNS Resolver reflection attack Mitigation

On Fri, Jun 08, 2012 at 03:09:04PM -0400, Joe Maimon wrote a message of 7 lines which said: > Is there any publicly available rate limiting for BIND? Not as far as I know. I'm not sure it would be a good idea. BIND is feature-rich enough. > How about host-based IDS that can be used to trigg

Re: Open DNS Resolver reflection attack Mitigation

On Fri, Jun 08, 2012 at 12:56:23PM -0700, Owen DeLong wrote a message of 28 lines which said: > IPv6 should be a simple matter of putting the same line in your > ip6tables file. My experience with attack mitigation is that tools do not always work as advertised and sometimes do bad things (su

No DNS poisoning at Google (in case of trouble, blame the DNS)

On Wed, Jun 27, 2012 at 03:53:17AM +, Matthew Black wrote a message of 18 lines which said: > We believe the DNS servers used by Google's crawler have been poisoned. [After reading the whole thread and discovering that Google was indeed right.] What made you think it can be a DNS cache p

Re: F.ROOT-SERVERS.NET moved to Beijing?

On Sun, Oct 02, 2011 at 05:40:23PM +, Janne Snabb wrote a message of 32 lines which said: > I happened to notice the following at three separate sites around > the US and one site in Europe: Good analysis at

Re: F.ROOT-SERVERS.NET moved to Beijing?

On Sun, Oct 02, 2011 at 04:06:44PM -0700, Leo Bicknell wrote a message of 107 lines which said: > We have found networks where a query sent to F-Root never reaches an > ISC run server. For details on such behavior, i highly recommend the excellent paper "Identifying and Characterizing Anycast

Re: F.ROOT-SERVERS.NET moved to Beijing?

On Sun, Oct 02, 2011 at 05:40:23PM +, Janne Snabb wrote a message of 32 lines which said: > $ dig +short +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT > "pek2a.f.root-servers.org" The next time, I suggest to also run "data" queries such as "A www.facebook.com" or "A www.twitter.com"

Re: TATA problems?

On Mon, Nov 07, 2011 at 10:00:34AM -0500, Todd Snyder wrote a message of 12 lines which said: > We seem to be having some problems with our tata links They probably use Juniper routers :-)

Re: [outages] More notes

On Mon, Nov 07, 2011 at 08:37:55PM -0700, brian nikell wrote a message of 38 lines which said: > Actually, Juniper does disclose code bugs. Though not always to the > public at first, importantly to Juniper customers. Juniper had > advised all of their customers last August of this bug, howeve

Re: EFF call for signatures from Internet engineers against censorship

On Tue, Dec 13, 2011 at 06:12:34PM -0800, Peter Eckersley wrote a message of 86 lines which said: > To date, the leading role the US has played in this infrastructure > has been fairly uncontroversial [sic and re-sic] because America > is seen as a trustworthy arbiter and a neutral basti

Re: DNS zone response speed test tool?

3 "SOA fr" $(dig +short NS fr.) # # From: Joe Abley # Modified-by: Stephane Bortzmeyer # Settings max=1 verbose=0 # Some Unices like NetBSD are crazy enough to ship a dinosaurian # version of getopt, which cannot handle arguments with spaces! So, we # have a lot of work to work around

Re: Note change in IANA registry URLs

On Fri, Apr 02, 2010 at 11:42:25AM +0200, Robert Kisteleki wrote a message of 20 lines which said: > I don't know what good reasons you might have to pull down the current > URLs. Please keep them working. I strongly agree and, by the way, it seems this was partially mentioned in the origina

Re: APNIC Allocated 14/8, 223/8 today

On Wed, Apr 14, 2010 at 05:02:10PM +1000, Skeeve Stevens wrote a message of 37 lines which said: > As the subject says, APNIC was allocated 14/8 and 223/8 today... Actually, it was a few days ago. > Not sure why I haven't seen any announcements about it... There have been announcements (h

Re: .mil dns problems?

On Thu, May 27, 2010 at 09:16:35AM -1000, Antonio Querubin wrote a message of 10 lines which said: > Anyone seeing trouble resolving some .mil hostnames consistently today? Yes, most DNS servers of .MIL are unresponsive: % check_soa mil There was no response from EUR2.NIPR.mil CON2.NIPR.mi

Re: Who controlls the Internet?

On Sun, Jul 25, 2010 at 08:24:27PM +0300, Tarig Yassin wrote a message of 27 lines which said: > For example when users from Sudan trying to access some web site > they will get a *Forbidden Access Error* message. > > And some messages say: you are forbidden to access this web site > because

Re: LISP

On Mon, Apr 11, 2011 at 10:49:25AM -0400, Christina Klam wrote a message of 12 lines which said: > (1) Does anyone know if Sprint uses LISP? It is too early, IMHO, to have production deployments of LISP (testing is OK). > (2) Does anyone know of any good guides/documentation of LISP? For Ci

Re: dot xxx live or not?

On Fri, May 13, 2011 at 05:03:11AM -0400, Joly MacFie wrote a message of 19 lines which said: > I recall checking at the time that http://icmregistry.xxx worked > > Now it doesn't. Anyone know what's going on? The TLD ".xxx" works. Names like sex.xxx or icmregistry.xxx have apparently been d

Re: ipp.gov and Google DNS (8.8.8.8)

On Thu, May 30, 2013 at 09:04:44AM -0600, Josh Galvez wrote a message of 135 lines which said: > DNSSEC seems to be validating properly. Since Google Public DNS returns SERVFAIL even with the +cd option (Checking Disabled), I suspect that it is not a DNSSEC issue at all.

Re: How anti-NSA backlash could fracture the Internet along national borders - The Washington Post

On Sat, Nov 02, 2013 at 01:12:54PM -0400, Jay Ashworth wrote a message of 8 lines which said: > The balkanizing of the Net? > > http://www.washingtonpost.com/blogs/worldviews/wp/2013/11/01/how-anti-nsa-backlash-could-fracture-the-internet-along-national-borders/ So, to host your content in t

[renesys] The New Threat: Targeted Internet Traffic Misdirection

Interesting study of what seems to be real BGP shunts: http://www.renesys.com/2013/11/mitm-internet-hijacking/

Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection

On Wed, Nov 20, 2013 at 01:54:00PM -0500, Christopher Morrow wrote a message of 11 lines which said: > someone has already parsed out all route announcements from > ris/routeviews for the 2 specific incidents in question in the > article? and posted the contents somewhere for review? I didn't

Re: Renesys, Ars document wholesale BGP hijacking

On Wed, Nov 27, 2013 at 02:10:33AM -0500, Jay Ashworth wrote a message of 7 lines which said: > To Belarus, Iceland. Old news, more than a week. > Um, oops. > > http://catless.ncl.ac.uk/go/risks/27/62/2 The real URL is

Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

On Fri, Dec 06, 2013 at 06:38:31PM +0100, Eugen Leitl wrote a message of 357 lines which said: > http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/ Except the remarks from Kapela, it has very little content above what was in the Renesys paper, discussed here two weeks ago

Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

On Fri, Dec 06, 2013 at 01:05:54PM -0500, Jared Mauch wrote a message of 36 lines which said: > I've detected 11.6 million of these events since 2008 just looking at the > route-views data. Most recently the past two days 701 has done a large MITM > of > traffic. The big novelty in the Rene

Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

On Fri, Dec 06, 2013 at 12:39:16PM -0600, Brandon Galbraith wrote a message of 43 lines which said: > If your flows are a target, or your data is of an extremely > sensitive nature (diplomatic, etc), why aren't you moving those bits > over something more private than IP (point to point L2, An

Re: macomnet weird dns record

On Tue, Apr 14, 2015 at 04:09:42PM +0300, Nikolay Shopik wrote a message of 10 lines which said: > How its weird? All these chars allowed in DNS records. And they probably encode the netmask, which may be useful.

Re: macomnet weird dns record

On Tue, Apr 14, 2015 at 02:26:48PM +0100, Colin Johnston wrote a message of 19 lines which said: > Best practice says avoid such info in records as does not aid debug > since mix of dec and hex No. Pure imagination on your side. There is no such "best practice". And it's not hex or dec, it is

Re: AS4788 Telecom Malaysia major route leak?

On Fri, Jun 12, 2015 at 11:09:34AM +0200, Tore Anderson wrote a message of 10 lines which said: > I see tons of bogus routes show up with AS4788 in the path, and at > least AS3549 is acceping them. > > E.g. for the RIPE NCC (193.0.0.0/21): > > [BGP/170] 00:20:29, MED 1000

Re: AS4788 Telecom Malaysia major route leak?

On Fri, Jun 12, 2015 at 09:58:55AM -0500, Charles van Niman wrote a message of 25 lines which said: > Does anyone at Level3 care to comment here about this event, https://twitter.com/Level3/status/609353696787496960

Re: REMINDER: LEAP SECOND

On Mon, Jun 22, 2015 at 01:15:41PM +0100, Tony Finch wrote a message of 15 lines which said: > The problems are that UTC is unpredictable, That's because the earth rotation is unpredictable. Any time based on this buggy planet's movements will be unpredictable. Let's patch it now!

Re: REMINDER: LEAP SECOND

On Mon, Jun 22, 2015 at 12:38:28PM +, Bjoern A. Zeeb wrote a message of 17 lines which said: > So we need a new center of the universe and switch to stardate and > thus solve the 32bit UNIX time problem for real this time? Or simply use TAI which is the obvious time reference for Internet

Re: Speaking of NTP...

On Mon, Jul 13, 2015 at 01:17:01PM +, Matthew Huff wrote a message of 14 lines which said: > We have 5 NTP server: 2 x stratum 1 rubidium oscillator time servers > with GPS sync, and 3 servers running NTP 4.2.6p5-3 synced to > external internet based NTP stratum 1 servers. We monitor our N

Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

On Tue, Aug 04, 2015 at 10:03:33AM -0400, Jay Ashworth wrote a message of 6 lines which said: > Everyone got BIND updated? For instance by replacing it with NSD or Unbound?

Re: Chile Status?

On Thu, Sep 17, 2015 at 09:58:54AM -0400, Jared Mauch wrote a message of 11 lines which said: > If someone wants ripe ATLAS credits please send me a request > off-list with your e-mail address registered for RIPE Atlas. Even without credits, and an anonymous access, you can see that several p

Re: Chile Status?

On Thu, Sep 17, 2015 at 10:00:46AM -0400, Marshall Eubanks wrote a message of 34 lines which said: > shows green dots, but if you mouseover you see that the last > connects are all old (pre-Earthquake). You're right, I forgot to check that but the 17 RIPE Atlas probes connected in Chile all a

<    1   2   3