RE: NANOG Digest, Vol 26, Issue 142
Sent from my Windows® phone. -----Original Message----- From: nanog-request@nanog.org <nanog-request@nanog.org> Sent: 30 March 2010 13:00 To: nanog@nanog.org <nanog@nanog.org> Subject: NANOG Digest, Vol 26, Issue 142 Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request@nanog.org You can reach the person managing the list at nanog-owner@nanog.org When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..." Today's Topics: 1. Re: DNSSEC deployment testing and awareness (Was: Re: IPv4 ANYCAST setup) (Robert Kisteleki) 2. Re: DNSSEC deployment testing and awareness (Was: Re: IPv4 ANYCAST setup) (Phil Regnauld) 3. Re: IPv4 ANYCAST setup (Jens Link) 4. Re: IPv4 ANYCAST setup (bmanning@vacation.karoshi.com) 5. Re: IPv4 ANYCAST setup (Tony Finch) 6. Re: Useful URL for network operators (Valdis.Kletnieks@vt.edu) 7. RE: Auto MDI/MDI-X + conference rooms + bored == loop (William Mullaney) ---------------------------------------------------------------------- Message: 1 Date: Tue, 30 Mar 2010 11:37:49 +0200 From: Robert Kisteleki <robert@ripe.net> Subject: Re: DNSSEC deployment testing and awareness (Was: Re: IPv4 ANYCAST setup) To: nanog@nanog.org Message-ID: <4BB1C66D.7000808@ripe.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I must observe that these are not really the links you'd want to give your end users to check out. Their audience is very different. While the article on RIPE Labs comes close, they don't really answer the "does it work or does it not?" question with a green/red light, and they don't provide a good explanation to the audience Randy is referring to. Robert On 2010.03.30. 11:29, Phil Regnauld wrote:
Randy Bush (randy) writes:
i.e. what can we do to maximize the odds that the victim will quickly find the perp, as opposed to calling our our tech support lines?
Ah yes, there was the second good reason for actually helping netops and security officers :)
Tools:
https://www.dns-oarc.net/oarc/services/replysizetest
https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources, under troubleshooting: http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues http://secspider.cs.ucla.edu/
Info sheets:
http://www.afnic.fr/actu/nouvelles/240/l-afnic-invite-les-responsables-techn... (click English, top right)
... plenty of links there too.
Cheers, Phil
------------------------------ Message: 2 Date: Tue, 30 Mar 2010 11:52:27 +0200 From: Phil Regnauld <regnauld@nsrc.org> Subject: Re: DNSSEC deployment testing and awareness (Was: Re: IPv4 ANYCAST setup) To: Robert Kisteleki <robert@ripe.net> Cc: nanog@nanog.org Message-ID: <20100330095226.GE24147@macbook.catpipe.net> Content-Type: text/plain; charset=us-ascii Robert Kisteleki (robert) writes:
I must observe that these are not really the links you'd want to give your end users to check out. Their audience is very different. While the article on RIPE Labs comes close, they don't really answer the "does it work or does it not?" question with a green/red light, and they don't provide a good explanation to the audience Randy is referring to.
Fair enough. Some simple "check your DNS reply size test [what is this ?]" page ought to be set up, with a simple explanagtion. "checkmydns.org" is available. If I get 5 minutes... :) ------------------------------ Message: 3 Date: Tue, 30 Mar 2010 11:58:16 +0200 From: Jens Link <lists@quux.de> Subject: Re: IPv4 ANYCAST setup To: nanog@nanog.org Message-ID: <87mxxqb07b.fsf@bowmore.quux.de> Content-Type: text/plain; charset=us-ascii "Kevin Oberman" <oberman@es.net> writes:
He said that if the protocols would not handle blocked 53/tcp, the protocols would have to be changed. Opening the port was simply not open to discussion.
Let me guess: They also completely blocked ICMP. I always tell these customers to switch to IPv6 real fast and to turn of ICMPv6 to make their networks really secure. ;-)
I will say that these were at federal government facilities. I hope the commercial world is a bit more in touch with reality.
You can find clueless people everywhere. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink@guug.de | ------------------------------------------------------------------------- ------------------------------ Message: 4 Date: Tue, 30 Mar 2010 10:05:27 +0000 From: bmanning@vacation.karoshi.com Subject: Re: IPv4 ANYCAST setup To: Randy Bush <randy@psg.com> Cc: "nanog@nanog.org" <nanog@nanog.org> Message-ID: <20100330100527.GC30288@vacation.karoshi.com.> Content-Type: text/plain; charset=us-ascii On Tue, Mar 30, 2010 at 05:43:25PM +0900, Randy Bush wrote:
I have talked to multiple security officers (who are generally not really knowledgeable on networks) who had 53/tcp blocked and none have yet agreed to change it. patience. when things really start to break, and the finger of fate points at them, clue may arise. 36 days until all root servers have DNSSEC data, at which point large replies become normal.
are end user tools, i.e. a web click a button, available so they can test if they are behind a clueless security id10t?
no - in part because using a browser to debug DNS involves a third app (and likly a third/forth) platform. the nifty OARC testpoint is nearly worthless for real operations, since its not located at/near a DNS authoritative source. the K testpoint is good, I should prolly put back the one off B.
is there good simple end user docco they are somewhat likely to find when things break for them?
not yet. in part because out of the few simple parts, many, many combinations of failure can occur. ) MTU strictures: v6/v4 tunneling v6/v4 MTU clamping ) Fragmenation UDP ) Port blocking ) Resolver Behaviour EDNS awareness
i.e. what can we do to maximize the odds that the victim will quickly find the perp, as opposed to calling our our tech support lines?
thats a tough call. as tech support staff, we are almost always an outside observer on the path btwn the victim and the perp. troubleshooting is going to be problematic.
randy
------------------------------ Message: 5 Date: Tue, 30 Mar 2010 11:53:12 +0100 From: Tony Finch <dot@dotat.at> Subject: Re: IPv4 ANYCAST setup To: nanog@nanog.org Message-ID: <alpine.LSU.2.00.1003301152280.1923@hermes-2.csi.cam.ac.uk> Content-Type: TEXT/PLAIN; charset=US-ASCII "Kevin Oberman" <oberman@es.net> writes:
He said that if the protocols would not handle blocked 53/tcp, the protocols would have to be changed. Opening the port was simply not open to discussion.
Do they also believe that all DNS replies are less than 512 bytes? :-) Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. ------------------------------ Message: 6 Date: Tue, 30 Mar 2010 07:33:39 -0400 From: Valdis.Kletnieks@vt.edu Subject: Re: Useful URL for network operators To: Jim Mercer <jim@reptiles.org> Cc: nanog@nanog.org Message-ID: <1191.1269948819@localhost> Content-Type: text/plain; charset="us-ascii" On Tue, 30 Mar 2010 05:34:06 EDT, Jim Mercer said:
Once again, please ignore Jim Mercer. He should do more homeworks too.
He's said similar about a number of people who have more operations clue than he does. I'd comment, except Woody Allen already did it better: http://www.youtube.com/watch?v=9wWUc8BZgWE
a) I have never heard of Randy Bush
That's OK, I encoura.. oh nevermind, it's shooting fish in a barrel. ;)
participants (1)
-
Stephen Tandy