Randy Bush | 27 Apr 03:09 2015

traffic jam

i have two modest auth servers, a few MB/s each.  ten days ago, they
went to 80MB.  sources and dests are widely distributed.  so is it just
a ddos, or is there something for which i should be looking?

randy

i have two modest auth servers, a few MB/s each.  ten days ago, they
went to 80MB.  sources and dests are widely distributed.  so is it just
a ddos, or is there something for which i should be looking?

randy

Keith Mitchell | 23 Apr 13:12 2015
Picon

DNS-OARC Spring 2015 Workshop - 9/10th May : REGISTRATION DEADLINE REMINDER

A reminder that the the early registration deadline for our Amsterdam
workshop is *this Friday* the 24th:

	https://oarc-spring2015-amsterdam.eventbrite.com/

If you are planning to attend, please note that the registration fee,
increases from $150 to $250 for non-member attendees TOMORROW Friday
24th April. This includes lunch on both days and and evening social
event - help us plan, and keep our and your hotel venue costs down, by
registering ASAP. Discounted registration is also available to most OARC
members.

The agenda is now fully confirmed and as packed as ever, please see:

	https://indico.dns-oarc.net/event/21/timetable/#all

for details of all talks and timing.

The workshop will be held at the same location the subsequent RIPE70
meeting, and we're grateful to SIDN, Verisign, Nominum and Comcast for
being our sponsors this time.

For travel and additional venue information, see the workshop site, and
also the RIPE70 meeting site at:

	https://ripe70.ripe.net/venue/meeting-venue/

Additional sponsors for this meeting and the social event remain welcome
- please contact <sponsor@...> if interested.

(Continue reading)

Stephane Bortzmeyer | 22 Apr 15:12 2015
Picon

Authoritative name server replies NODATA for a non-existing domain

Strange behavior:

% for ns in $(dig +nodnssec +short NS adult.); do
echo $ns
dig  <at> $ns NS thisdomaincertainlydoesnotexist.adult |& grep status:
done
d0.nic.adult.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13433
c0.nic.adult.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23111
a0.nic.adult.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3358
a2.nic.adult.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48334
b2.nic.adult.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29932
b0.nic.adult.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58405

IMHO, all the name servers should reply NXDOMAIN, no?

DNSviz does complain:

http://dnsviz.net/d/adult/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&ta=dlv.isc.org.&tk=
Mark E. Jeftovic | 18 Apr 21:23 2015

named-checkzone warnings about missing SPF records


I am under the impression that the SPF RR type has been deprecated
(http://www.zytrax.com/books/dns/ch9/spf.html and RFC 7208)

Yet named-checkzone will still throw a warning if SPF data is present in
a TXT rec but has no accompanying SPF Rtype:

zone antiglam.com/IN: 'antiglam.com' found SPF/TXT record but no SPF/SPF
record found, add matching type SPF record

Will this warning be phased out?

(although I note that we use bind-dlz here, so I also wonder if the
named-checkzone package in that is slightly behind the stock bind one)

- mark

--

-- 
Mark E. Jeftovic <markjr@...>
Founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 ext 225
Read my blog: http://markable.com

Doug Barton | 18 Apr 00:06 2015
Picon

Do Unix stubs round robin nameserver addresses?

I have always believed (based on both the man pages, and what I've seen 
in the field) that Unix stub resolvers follow the behavior described in 
the man page. That is, they try the first 'nameserver' address listed, 
and if it doesn't get a response before the timeout value expires it 
then moves on to the next one in line.

I was having a discussion with someone about that issue today who 
insists that they have empirical evidence that this is not the case, 
that they have seen stubs that round robin the addresses. So, I'm 
wondering if y'all have seen the same thing?

Curious,

Doug

--

-- 
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!

I have always believed (based on both the man pages, and what I've seen 
in the field) that Unix stub resolvers follow the behavior described in 
the man page. That is, they try the first 'nameserver' address listed, 
and if it doesn't get a response before the timeout value expires it 
then moves on to the next one in line.

I was having a discussion with someone about that issue today who 
(Continue reading)

Frank | 16 Apr 08:49 2015
Picon

Re: calculating DNSSEC keytags in awk


Hello Carlos Martinez-Cagnazzo,
have you found a solution to your problem "calculating DNSSEC keytags in
awk" from Sat Dec 17 12:39:04 UTC 2011? I found 3 Python programs, but
each comes to a different result.

I try:
[1]http://webcache.googleusercontent.com/search?q=cache:-ipkFN08vMwJ:www.videntity.com/2013/08/how-to-serve-public-certificates-in-bind-for-the-direct-project/+&cd=1&hl=de&ct=clnk&gl=de
[2]https://www.v13.gr/blog/?p=239
[3]https://groups.google.com/forum/#!
searchin/comp.protocols.dns.bind/python
$20keytag/comp.protocols.dns.bind/XR69GkAxbUE/_00QK7rs4tUJ

Greetings from Germany
Frank

George Michaelson | 15 Apr 13:42 2015
Picon

Re: Postures was Re: Stunning security discovery: AXFR may leak information

I find the question: "if you had an FTP fetch of the zone, would you
feel comfortable making that available for anonymous FTP" a useful
question.

In reverse, we have the entire zonestate as FTP files. publicly
visible. Signed in PGP. And we have whois, with varying degrees of
throttle, for operational stability reasons more than anything else.

If we got swamped on FTP, I wouldn't be happy, but thats an
operational issue about TCP cost and data cost. Not about the zone
contents per se.

I'm happy in reverse, it makes sense to know numbers are numbers, they
have a sequence, its not that much less informative than other
published information about who-has-what

So on that basis: the FTP rule passes: we have open FTP, why would we
block AXFR?

-G

On 15 April 2015 at 13:26, Edward Lewis <edward.lewis <at> icann.org> wrote:
> John Crain alluded to the point I want to reinforce here.  There are many
> different operational postures.  It's tempting to see a situation as it
> applies to just one.  The three snips below illustrate common environments
> I've run across - TLD (/registration zones), remote debugging
> (/third-party management), and enterprise.
>
> When I think of "generally" I assume the latter environment.  By
> comparison, there are very few operations that handle TLD (and root) zone.
(Continue reading)

Edward Lewis | 15 Apr 13:26 2015
Picon

Postures was Re: Stunning security discovery: AXFR may leak information

John Crain alluded to the point I want to reinforce here.  There are many
different operational postures.  It's tempting to see a situation as it
applies to just one.  The three snips below illustrate common environments
I've run across - TLD (/registration zones), remote debugging
(/third-party management), and enterprise.

When I think of "generally" I assume the latter environment.  By
comparison, there are very few operations that handle TLD (and root) zone.

The remote debugging is an interesting environment.  On the one hand it is
benign, "coaching" and basically freely helping others.  But the technical
footprint of it is not far removed from outside surveillance ("the NSA" or
corporate spying), with the real difference locked into "intent."  And
sometimes even benign outside help is considered an intrusion.

As far as "generally unwise" - I am not the kind who likes loose ends.  By
analogy, I see opening up AXFR on serves like walking with my shoes
untied.  It's convenient (to not have to bend over and tie them) but if I
step on one end I trip over.  Usually, my stance is wide enough that I
don't trip.  The other concern is getting the laces wet in puddles, so I
pull them in. (Yes, it is disturbing I've actually thought about this.)
And worse yet, when I do this, my wife will frown at me.  I.e., once I
mitigate the risks of tripping, stepping in puddles, and the scorn of my
wife, it's fine.  If I don't consider these risk, I've been unwise.

On 4/14/15, 18:58, "Patrik Fältström" <paf@...> wrote:
>
>I see personally quite a number of registries that are nervous about
>XFR (or release of the zone in one way or another)

(Continue reading)

Paul Vixie | 14 Apr 21:48 2015

nakedness vs. AXFR

one of the guys here (farsight security) heard me say that when florian
weimer invented passive dns it was so that he could reconstruct zones
(specifically the .DE zone) one record at a time by recording cache miss
transactions. since passive DNS was our main business at that moment, a
"zonedumper" tool then appeared. i'll show it in "native" mode below,
rather than querying through the DNSDB API:

> $ ./zonedumper --mtbl /export/dnstable/mtbl/{*.[DH],*.201503.M}.mtbl --earliest $(date "+%s" -d
"1 month ago") vix.com
> vix.com.	3600	in	soa	rd3.iad1.fsi.io. vixie.fsi.io. 1429039021 86400 3600 604800 3600
> vix.com.	3600	in	a	176.74.176.186
> vix.com.	3600	in	a	69.172.201.208
> vix.com.	3600	in	ns	buy.internettraffic.com.
> vix.com.	3600	in	ns	sell.internettraffic.com.

and indeed, vix.com has been in that dilapidated state for at least the last month (per the request), since
it's for sale. so let's look at vix.su (see below), since as a westerner born during the cold war i thought it
would be wonderful to own property in the soviet union. note, as above, the synthetic SOA, which allows us
to actually load this "zone" into a name server if we want to. as to what's below, that's not everything in
the vix.su zone, but it's everything that's been queried that caused one of ~200K cache misses we receive
every second.

what this means is, you are running bare naked through the internet, covered in honey, whether you allow
AXFR or not. so, disallowing AXFR is at best a professionalism matter, and not really a security matter.

vixie

re:

> $ ./zonedumper --mtbl /export/dnstable/mtbl/{*.[DH],*.201503.M}.mtbl --earliest $(date "+%s" -d
(Continue reading)

Stephane Bortzmeyer | 14 Apr 10:23 2015
Picon

Stunning security discovery: AXFR may leak information

https://www.us-cert.gov/ncas/alerts/TA15-103A
http://haxpo.nl/haxpo2015ams/sessions/all-your-hostnames-are-belong-to-us/
Kumar Ashutosh | 13 Apr 07:55 2015
Picon

What's New in DNS Server in Windows Server Technical Preview

Functionality

New or Improved

Description

DNS Policies

New

You can configure DNS policies to specify how a DNS server responds to DNS queries. DNS responses can be based on client IP address (location), time of the day, and several other parameters. DNS policies enable location-aware DNS, traffic management, load balancing, split-brain DNS, and other scenarios.

New DNS records

New

You can now create Transport Layer Security Authentication (TLSA), and unknown records in DNS to support different DNS scenarios.

Windows PowerShell support

Improved

New Windows PowerShell cmdlets are available for DNS Server.

 

Highlights:

Policies with its Powershell interface

DANE support

Support to add unknown records (add new records or old unsupported records like SPF via unknown records API. You have to provide data in hexadecimal format)

 

More details here

https://technet.microsoft.com/en-us/library/dn765484.aspx

 

 

Detailed guides will follow soon. For further information contact me.

 

 

Thanks

Ashu

Program Manager | Windows Networking| DNS & SDN

 

<div>
<div class="WordSection1">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tr>
<td valign="top">
<p class="MsoNormal">Functionality <p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">New or Improved <p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">Description <p></p></p>
</td>
</tr>
<tr>
<td valign="top">
<p class="MsoNormal">DNS Policies<p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">New<p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">You can configure DNS policies to specify how a DNS server responds to DNS queries. DNS responses can be based on client IP address (location), time of the day, and several other parameters. DNS policies enable location-aware DNS, traffic
 management, load balancing, split-brain DNS, and other scenarios.<p></p></p>
</td>
</tr>
<tr>
<td valign="top">
<p class="MsoNormal">New DNS records<p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">New<p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">You can now create Transport Layer Security Authentication (TLSA), and unknown records in DNS to support different DNS scenarios.<p></p></p>
</td>
</tr>
<tr>
<td valign="top">
<p class="MsoNormal">Windows PowerShell support<p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">Improved<p></p></p>
</td>
<td valign="top">
<p class="MsoNormal">New Windows PowerShell cmdlets are available for DNS Server.<p></p></p>
</td>
</tr>
</table>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Highlights:<p></p></p>
<p class="MsoNormal">Policies with its Powershell interface<p></p></p>
<p class="MsoNormal">DANE support<p></p></p>
<p class="MsoNormal">Support to add unknown records (add new records or old unsupported records like SPF via unknown records API. You have to provide data in hexadecimal format)<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">More details here<p></p></p>
<p class="MsoNormal"><a href="https://technet.microsoft.com/en-us/library/dn765484.aspx">https://technet.microsoft.com/en-us/library/dn765484.aspx</a><p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Detailed guides will follow soon. For further information contact me.<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Thanks<p></p></p>
<p class="MsoNormal"><span>Ashu<p></p></span></p>
<p class="MsoNormal"><span>Program Manager | Windows Networking| DNS &amp; SDN<p></p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div>
</div>

Gmane