Feh. ;-)

Post #60,844 by rickmoen 11/3/02 4:03:44 AM Reply	Feh. ;-) Scott wrote: [link\|http://www.theregister.co.uk/content/6/27731.html\|http://www.theregister.co.uk/content/6/27731.html] [link\|http://www.smh.com.au/articles/2002/10/25/1035504876265.html\|Feh.] ;-) Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #60,854 by Ashton 11/3/02 7:33:17 AM Reply	re the ICANN Scam: Is there any organized, pref. funded movement to return these parasites back to flipping burgers or raiding pension funds? It's not at all clear to me where one would begin, though it is obvious that you would have to do battle within todays ethics-free Bizness environment. I expect that there are layers of insulation and oceans of spin concerning the 'Importance' of this name-doling for ez big $$. Maybe this is minor compared with the obscene levels of banditry from Redmond on, and obviously the Bush Admin. would oppose on theological grounds - but why not pick-off certain examples like ICANN in a concerted way: for the beginnings of public awareness? [maybe that's an oxymoron now]. Ashton
Post #60,858 by jake123 11/3/02 9:37:34 AM Reply	Bwahahahahaaa... That was really funny... Mr. Sanders nailed it on the head! "Thieving parasites" indeed! --\n-------------------------------------------------------------------\n* Jack Troughton jake at consultron.ca \n [link\|http://consultron.ca\|http://consultron.ca] [link\|irc://irc.ecomstation.ca\|irc://irc.ecomstation.ca] \n Laval Qu\ufffdbec Canada [link\|news://news.consultron.ca\|news://news.consultron.ca] *\n-------------------------------------------------------------------
Post #60,860 by folkert 11/3/02 10:03:49 AM Reply	Rick... How is DDNS going to affect this... I have serious misgivings about DDNS... especially about how often the updates come... I would be very interested to Discuss this... being it DOES indeed relate to the problem. Along with that, I see a very interesting DoS or DDoS attack using compromised DDNS clients updating their Authoritative DDNS machine thousands of time persecond and then transferring those hundreds of thousands of times to the next upstream DNS machine... and the ROOT servers etc... Do you think DDNS is really worth the percieved convience? FWIW I don't... but I'd still be interested in your thoughts on this. `[link\|mailto:curley95@attbi.com\|greg] - Grand-Master Artist in IT [link\|http://www.iwethey.org/ed_curry/\|REMEMBER ED CURRY!!!] Your friendly Homeland Security Officer reminds: Hold Thumbprint to Screen for 5 seconds, we'll take the imprint, or Just continue to type on your keyboard, and we'll just sample your DNA.`
Post #60,874 by rickmoen 11/3/02 1:40:18 PM Reply	Re: Rick... How is DDNS going to affect this... gfolkert wrote: Along with that, I see a very interesting DoS or DDoS attack using compromised DDNS clients updating their Authoritative DDNS machine thousands of time persecond and then transferring those hundreds of thousands of times to the next upstream DNS machine... and the ROOT servers etc... I'm unclear about how and why, in the scenario you're describing, infomation would be propagated higher and higher in the chain of authority towards the root. I'm not envisioning an example where that can happen. Maybe it would help if you could post an example, showing what happens with the zonefiles. E.g., if you have a bunch of machines that have nameservice in zone myddns.org, then they send update IP information to some nameservers that have delegated authority for that forward-lookup second-level domain. The several authoritative nameservers would be set up to update one another: I'm not informed enough on DDNS nameserver administration to know how that happens (never needed DDNS), but that's it. Delegated is delegated. If I'm missing the nature of what you're asking, please do follow up. An example would probably help. Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #60,879 by ben_tilly 11/3/02 3:16:35 PM Reply	A couple of stupid DNS questions As I understand it if you have a cached answer which is past expiry, then you throw it out and ask for a refresh. Then if the refresh cannot be found, then you say the name cannot be resolved. It seems to me that if you are past the expiry time you should ask for the real answer, but in the event that you cannot get one you should continue to hand back your stale answer indefinitely. That would mean that an attack like this on the root DNS system would essentially never work. Other machines would wind up asking where, for instance, .au and .com are but would continue to give back accurate answers indefinitely. It would also help in some local failures because my local caching DNS node would leave me able to access things that I normally used even though the server it gets things from cannot be reached. (I used to suffer through a lot of these because I was behind a firewall with only a poorly-administered DNS server available.) The other question is this. Why is mail the only protocol that DNS has seen fit to make failover be implemented for in the DNS system? Personally I think it would be great to build the capacity into virtually everything. Makes redundancy easier to design in to things. Allows people to use DNS for naive balancing and also gives the caching benefit. Cheers, Ben "Career politicians are inherently untrustworthy; if it spends its life buzzing around the outhouse, it\ufffds probably a fly." - [link\|http://www.nationalinterest.org/issues/58/Mead.html\|Walter Mead]
Post #60,891 by rickmoen 11/3/02 5:48:52 PM Reply	Re: A couple of stupid DNS questions Ben, my understanding about how caching's supposed to work is more-or-less the same as yours. It turns out that, in practice, caching policies seem to be all over the map -- but are heavily on the "excessive and inappropriate" side of that map. This can lead to some frustrating situations, e.g., you know you're going to be migrating a public Web server, so you set TTL values low well in advance, you perform the migration, and then you start getting mail from people who unaccountably aren't reaching the new site, apparently because of inappropriate caching. Yes, what you're proposing sounds like a better way, better even than the way the RFCs say it's supposed to work -- but real-world usage appears to only spottily implement even the latter. Why is mail the only protocol that DNS has seen fit to make failover be implemented for in the DNS system? Interesting idea. The one almost unique characteristic of mail that I can think of, that might account for this, is that mail is asynchronous, and thus benefits from queueing and redelivery in a way that other services generally don't. But it's a good thought. I can't think offhand of other services that could benefit from similar treatment, but there might be some. Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.

Welcome to IWETHEY!