[2006-11-16 10:02:34]*keith has set the topic to: OARC Workshop 2006: Teleconf shortly on +1 866 500 6738 [2006-11-16 10:15:34] Just to confirm - OARC workshop jabber will happen here, meeting starts at 10:00 PST [2006-11-16 10:39:56] There is no live video webcast, audio teleconf only. The proceeding are being videoed and will be available afterwards [2006-11-16 11:02:20]--- Antoin (antoin@jabber.org/Psi) has become available [2006-11-16 11:02:20]--- bwatson (bwatson@jabber.oarc.isc.org/tkabber) has become available [2006-11-16 11:02:20]--- glozano (glozano@jabber.nic.com.mx/Pandion) has become available [2006-11-16 11:02:20]--- keith (keith@jabber.oarc.isc.org/vaio1) has become available [2006-11-16 11:02:20]--- kmkaplan (kmkaplan@im.apinc.org/Psi) has become available [2006-11-16 11:02:20]--- oatwillie (bmanning@jabber.org/Psi) has become available [2006-11-16 11:02:20]--- rstory (rstory@jabber.org/jabber) has become available [2006-11-16 11:02:20]--- sleach (sleach@jabber.ultradns.net/Adium) has become available [2006-11-16 11:02:20]--- vix (vixie@jabber.oarc.isc.org/human) has become available [2006-11-16 11:03:21]--- Matt Pounsett (mpounsett@jabber.oarc.isc.org/Adium) has become available [2006-11-16 11:13:23]--- roy-h (rhooper@jabber.oarc.isc.org/Adium) has become available [2006-11-16 11:13:59]--- koji (koji@jabber.registro.br/Psi) has become available [2006-11-16 11:14:01]--- pk (pkoch@jabber.oarc.isc.org/Psi) has become available [2006-11-16 11:14:48]--- PeterLosher/ISC (plosher@jabber.isc.org/Laptop) has become available [2006-11-16 11:15:07]--- bverd (bverd@ecotroph.net/Exodus) has become available [2006-11-16 11:15:16]--- jtk (jtk@jabber.oarc.isc.org/Adium) has become available [2006-11-16 11:15:30]--- marks (marks@jabber.oarc.isc.org/Laptoy) has become available [2006-11-16 11:15:46]--- fneves (fneves@jabber.registro.br/Adium) has become available [2006-11-16 11:16:10]--- Rodney (rjoffe@jabber.oarc.isc.org/Adium) has become available [2006-11-16 11:17:33]--- roy@uk (roy@dnss.ec/mbp) has become available [2006-11-16 11:18:00]--- jad (jad@port53.org.uk/Psi) has become available [2006-11-16 11:19:07]--- kc (kc@jabber.caida.org/Psi) has become available [2006-11-16 11:17:59] how many of y'all are NOT in SETAC? [2006-11-16 11:21:15]--- oatwillie has left [2006-11-16 11:21:46] i'm remote. [2006-11-16 11:21:50] +1 [2006-11-16 11:22:01] i [2006-11-16 11:27:17] I am remote. [2006-11-16 11:37:12] +1 [2006-11-16 11:38:15]--- weiler (weiler@jabber.org/Gaim) has become available [2006-11-16 11:42:18] We have room in the schedule for lightning presentations (10-15 mins max) [2006-11-16 11:45:49] can the URL for the current preso get posted here throughout the day? [2006-11-16 11:46:35] http://public.oarci.net/files/workshop-2006/Osterweil-SecSpider.pdf according to the web site [2006-11-16 11:47:04]*keith has set the topic to: OARC Workshop 2006: Teleconf on +1 866 500 6738 [2006-11-16 11:47:55] keith, DW wants to talk about followup to manning presentation at wide/caida workshop ( http://www.caida.org/workshops/wide/0611/slides/manning-wide0611.pdf ) [2006-11-16 11:52:22] That would be good - we could do this talk at 12:15 today [2006-11-16 11:54:27] why 400? (I can understand 30, since it's the BIND default) [2006-11-16 11:56:22] how about splitting out "unsecure" and "broken/partially deployed"? [2006-11-16 11:58:57] Two more presentations added to web site, some minor agenda changes [2006-11-16 12:00:42]--- ogud (ogud@jabber.org/Exodus) has become available [2006-11-16 12:01:45]--- davidu (davidu@jabber.tisf.net/Psi) has become available [2006-11-16 12:07:37] Any questiions for Eric ?? [2006-11-16 12:09:06]--- AprilDL (aprildl@jabber.tisf.net/Psi) has become available [2006-11-16 12:09:21] http://public.oarci.net/files/workshop-2006/Sukhar-P2PDNS.pdf [2006-11-16 12:09:52] Note .ppt version also on website has some details missing from .pdf [2006-11-16 12:16:32]--- John Crain (john.crain@jabber.icann.org/Adium) has become available [2006-11-16 12:19:34]--- Mike Damm (mike@jabber.damm.info/Psi) has become available [2006-11-16 12:29:49] rodney says "how quickly can i move some domains onto your system" :) [2006-11-16 12:32:15]--- John Crain has left [2006-11-16 12:32:41] you wimps :-)_ [2006-11-16 12:33:07] rodney -- half your 5million queries a second will probably drop. proxlexic got raided by feds yesterday: http://www.cio-today.com/news/NYPD-Busts-Big-Online-Gambling-Ring/story.xhtml?story_id=1000096UC7DS [2006-11-16 12:34:00] Next presentation: http://public.oarci.net/files/workshop-2006/Weimer-ENUM.pdf [2006-11-16 12:34:00] neat. good info. [2006-11-16 12:37:31]--- jad has left: Replaced by new connection [2006-11-16 12:40:01]--- sebastian.castro (sebastian.castro@jabber.org/Work) has become available [2006-11-16 12:41:54]--- mave007@CL (mave007@myjabber.net/Kopete) has become available [2006-11-16 12:43:39]--- weiler has left [2006-11-16 12:44:05]--- suresh (suresh_k@jabber.org/Adium) has become available [2006-11-16 12:46:17]--- Rodney has left [2006-11-16 12:50:27]--- Rodney (rjoffe@jabber.oarc.isc.org/Adium) has become available [2006-11-16 12:56:30] who are the speakers? [2006-11-16 12:56:46] Florian and Peter from .de [2006-11-16 12:57:05] give peter a microphone? [2006-11-16 12:58:33] Is it question round allready ? [2006-11-16 13:02:27] Does Florian sugest ENUM registries should not run whois at all, or only not have subscriber information ? (pls reply answer, no audio) [2006-11-16 13:02:54]--- trall has left: Replaced by new connection [2006-11-16 13:03:25] And should they have subscriber information at all, since they did not distribute the numbers... [2006-11-16 13:03:49] taking peter koch's response first, then you [2006-11-16 13:03:50] tnx [2006-11-16 13:04:43] he doesn't have a solid position on that [2006-11-16 13:05:12] i see some interest in providing whois info, but on the other hand we have privacy requirements tha tmeans we can't publish any real data on these domains [2006-11-16 13:05:40] maybe they should run an iris server (a replacement for whois) where private info can only be seen by authenticated parties [2006-11-16 13:05:57] I miss Whois already [2006-11-16 13:06:46] Think subscribtion information should not be replicated in the regestry whois, as they are not the maintainer of the subscriber info.. [2006-11-16 13:08:13] Yeah.. i don't see a reason for whois information to exist for enum zones below the delegation from the country-code registry to the telco. [2006-11-16 13:09:15] e.g. I might publish whois data that says AT&T has a particular exchange, but I don't see AT&T publishing whois data for individual phone numbers. [2006-11-16 13:09:27] florian is picking up on slide 23 now [2006-11-16 13:09:29] And you could query a tech-c through the RNAME of the zone.. [2006-11-16 13:12:03] H'mmmm. Do you define physical address as part of whois data? [2006-11-16 13:12:35] which "you" is that? [2006-11-16 13:12:55] what if the number is ported Matt? [2006-11-16 13:13:00] the "you" saying that it is unlikely that AT&T would publish whois data [2006-11-16 13:13:29] btw, this whole enumerating 'danger' was already mentioned by Peter Koch october 2005. Nothing new here. [2006-11-16 13:13:37] physcial address is mandated un US (and many other countries) for E911 [2006-11-16 13:13:41] rodney: I just don't see purpose for whois data at that level. I don't see why they'd bother. [2006-11-16 13:14:15] do you now? [2006-11-16 13:14:41] how is this different from PSTN (pre porting). a real pots line get's you pretty close to their real address just by area code, prefix, wiring closet/trunk [2006-11-16 13:14:56]--- ilyasukhar (ilyasukhar@jabber.org/Home) has become available [2006-11-16 13:14:58] Rodney, the physical stuff only needs to be seen to get to the correct PSAP. No need for it to be public [2006-11-16 13:14:58] LNP makes that statement wrong [2006-11-16 13:15:12] LNP? (is that NANP and porting?) [2006-11-16 13:15:18] Local Number Portability. [2006-11-16 13:15:21] ahh [2006-11-16 13:16:19] Not needed at the registry, but with the regulator/organisation distributing the numbers, they are authoritative for that data.. [2006-11-16 13:16:54] and the data has to be made available outside that organization for things like e911. [2006-11-16 13:17:16] SO how do they do that now then..... [2006-11-16 13:17:18] rodney, but that doesn't change that if I tell you my mom's phone number you can find out where she lives pretty easily.... (she makes a good meatloaf) so how is this any more scary? (note, I don't think it's scary) [2006-11-16 13:17:23] Yeah, but at least in +1 it looks like that will be done without the use of whois. [2006-11-16 13:17:41] And that doesn't change... [2006-11-16 13:18:08] is there a link to the presentation? [2006-11-16 13:18:25] http://public.oarci.net/files/workshop-2006/Wessels-oldB.pdf [2006-11-16 13:18:49]--- trall (trall@jabber.org/Exodus) has become available [2006-11-16 13:19:25]--- weiler (weiler@jabber.org/Gaim) has become available [2006-11-16 13:19:31] bill's talk http://www.caida.org/workshops/wide/0611/slides/manning-wide0611.pdf [2006-11-16 13:19:59] the rules controlling TDM (PSTN) are significantly different to the rules governing the "Internet" [2006-11-16 13:20:27] yet [2006-11-16 13:21:27] hmm, we've seen wireless routers and such with incorrect/old addresses for dns/ntp/etc... maybe that? some vendor devices (dsl, cable modem, etc) [2006-11-16 13:22:03] probably it is possible to detect if some of those queries are recursive [2006-11-16 13:22:29] that would be an idea if they are coming from bad resolv.conf files and appliances [2006-11-16 13:22:34] what was the name that had the old B root IP? [2006-11-16 13:23:09] 128.9.0.17 [2006-11-16 13:23:11] 107 [2006-11-16 13:23:11] i.e., what name did UltraDNS change the IP address for? [2006-11-16 13:23:23] didn;t change teh name [2006-11-16 13:23:28] what name? [2006-11-16 13:23:37] b.root-servers.net? [2006-11-16 13:23:49] some old reslvers had the old ip address hard coded in the referral [2006-11-16 13:23:52] your servers were responding to b.root-servers.net/IN/A with the old IP? [2006-11-16 13:23:58] you mean old servers :-) [2006-11-16 13:24:10] resolvers ask queries, servers answer queries :-) [2006-11-16 13:24:38] matt-larson: hmm.... [2006-11-16 13:25:10] matt-larson: we should talk about that last statement, it is true less and less each day. [2006-11-16 13:25:27] or rather, the two functoins are becoming a union [2006-11-16 13:25:32] for better or worse, I'm not sure. [2006-11-16 13:25:43] 1200 queries/second to the old J root address RIGHT NOW THIS MOMENT [2006-11-16 13:25:56] oh, should I stop doing that? [2006-11-16 13:26:01] from how many different IP addresses [2006-11-16 13:26:04] ;-) [2006-11-16 13:26:15] don't know, but can check when back in the office [2006-11-16 13:26:17] djbdns default installs probably? :-) [2006-11-16 13:27:02] are there 1200 djbdns installs now? [2006-11-16 13:27:18] that questions isn;t really relevant to this [2006-11-16 13:27:29] for a variety of reasons, "upward referrals" should be stopped: draft-koch-dns-unsolicited-queries-00.txt [2006-11-16 13:27:30] that assumes 1 qps per nameserver ;-) [2006-11-16 13:27:31] Here's a link to the NANOG presentation: [2006-11-16 13:27:32] http://www.nanog.org/mtg-0410/pdf/kosters.pdf [2006-11-16 13:27:36] vix: the power of xen. :-) [2006-11-16 13:27:53] hmm, just saw that an old Debian machine with Bind 9.2.1 still has the old address... [2006-11-16 13:28:05]*davidu checks what we're using.... [2006-11-16 13:28:05] in teh hints file [2006-11-16 13:28:06] ? [2006-11-16 13:28:19] yep [2006-11-16 13:28:31] indeed, maybe ubuntu/linux/other-vendors are upgrading the versions of bind but not hints [2006-11-16 13:28:31] slides 9-12 of the presentation link I posted address the question, "Why are people querying the old J root address?" [2006-11-16 13:28:48] It's an unsolved question and I'm quite interested in the answer... Maybe the next OARC meeting [2006-11-16 13:29:03] Suggestions for ways to slice and dice the traffic comin to the old address are welcome [2006-11-16 13:29:09] I am happy to report on the distribution of IP addresses [2006-11-16 13:29:16] don't have easy historical data, but can trend going forward [2006-11-16 13:29:28] There must be a certain percentage that are severs that were installed and forgotten. [2006-11-16 13:29:30] Rodney: for our IP of b root in our code. [2006-11-16 13:31:25] matt, can i have pcap files for the oarc repo? [2006-11-16 13:31:53]--- davidu has left [2006-11-16 13:33:25]--- sleach has left [2006-11-16 13:33:32]--- pk has left: Computer went to sleep [2006-11-16 13:33:42]--- PeterLosher/ISC has left [2006-11-16 13:34:11] Have muted audio for lunch - back @ 13:30 [2006-11-16 13:34:13]--- koji has left [2006-11-16 13:35:00]--- ilyasukhar has left [2006-11-16 13:35:19]--- sebastian.castro has left [2006-11-16 13:50:19]--- ilyasukhar (ilyasukhar@jabber.org/Home) has become available [2006-11-16 13:50:34]--- suresh has left [2006-11-16 14:10:54]--- wessels (wessels@jabber.oarc.isc.org/Gaim) has become available [2006-11-16 14:13:37] matt, could we send you a DSC box that collects old-j-root traffic? [2006-11-16 14:25:04]--- vix has left [2006-11-16 14:34:04]--- sleach@jabber.ultradns.net (sleach@jabber.ultradns.net/Adium) has become available [2006-11-16 14:34:35]--- koji (koji@jabber.registro.br/Psi) has become available [2006-11-16 14:35:36] http://public.oarci.net/files/workshop-2006/Lorenzen-PassiveDNS.pdf [2006-11-16 14:35:55]--- pk (pkoch@jabber.oarc.isc.org/Psi) has become available [2006-11-16 14:41:07]--- glozano has left [2006-11-16 14:41:13]--- vix (vixie@jabber.oarc.isc.org/human) has become available [2006-11-16 14:42:42]--- sebastian.castro (sebastian.castro@jabber.org/Work) has become available [2006-11-16 14:42:51] if folks want to index data for possible research use but aren't comfortable turning files over, that's what caida built www.datcat.org for (it took 4 years and a million US tax dollars so it better be damn useful) [2006-11-16 14:47:19] a good question would have been "How many people plan to participate". :-/ [2006-11-16 14:47:20] keep the timestamp and ttl [2006-11-16 14:48:23] timestamp and ttl are in both sql schemas i've seen [2006-11-16 14:49:32] hrm.. too late for this question, I guess.. but I'm wondering if anyone's logging things other than the answer section of a response. I'd be interested to know when bad delegations are being passed around. [2006-11-16 14:49:38] add in the whois data too :-) [2006-11-16 14:50:01] rodney, the participants on the collector side will be those who run recursive servers and are willing to share copies of the responses they hear from authority servers. in other words, almost none of the people in this room / on this call. [2006-11-16 14:50:25] matt, yes, the plan is to store the whole response, all four sections. [2006-11-16 14:50:58] vix: would be nice if it's not just recursives, but traffic crossing a network generally (although you might catch private data local only to the site) [2006-11-16 14:50:59] ah, good. So maybe someday I'll get an answer to the question of why I see queries for TLDs other than mine. :) [2006-11-16 14:51:25] anycast instances talking to anycast instances maybe? [2006-11-16 14:52:12] jtk, i disagree, that wouldn't be nice. my rule is that in the core, only packet headers should be analyzed. to analyze content, you should get one endpoint or the other to do the collection. [2006-11-16 14:52:37] matt, yes, i get all kinds of odd queries for which i'd like to know who has delegated what in order to implicate my servers. [2006-11-16 14:52:47]--- mave007@CL has left [2006-11-16 14:54:51] vix: i think i wasn't clear, i'll try to explain my point to april in person later [2006-11-16 14:58:23] That's an interesting change. [2006-11-16 15:00:07] link for the current presentation? [2006-11-16 15:00:18] http://public.oarci.net/files/workshop-2006/Larson-Anycast.pdf [2006-11-16 15:00:24] thanks [2006-11-16 15:02:33] did you guys hear that? [2006-11-16 15:04:21] matt: hear which? [2006-11-16 15:04:49] it was a couple questions ago now.. about what was implied by "simultaneous query" [2006-11-16 15:05:51] The question was whether a simultaneous query was two sources asking the same question of multiple j-root instances, or just two sites asking some question (related or not) of multiple instances. [2006-11-16 15:06:00] It was the latter. [2006-11-16 15:13:35] could part of the strange occurrences be explained with source address spoofing ? [2006-11-16 15:17:07] Mic was switched off for last qn, "were the flaps associated with particular j instances ?" [2006-11-16 15:17:16] Matt says did not analyze [2006-11-16 15:22:13]--- PeterLosher/ISC (plosher@jabber.isc.org/Laptop) has become available [2006-11-16 15:23:54] backscatter? [2006-11-16 15:25:37] spamhaus [2006-11-16 15:26:47]--- Antoin has left [2006-11-16 15:27:04]--- roy-h has left [2006-11-16 15:27:41]--- roy-h (rhooper@jabber.oarc.isc.org/Adium) has become available [2006-11-16 15:28:31] I don't believe, for example, that PHP can send UDP packets, but it can do TCP. (PHP being a commonly exploited environment) [2006-11-16 15:29:46] php can send udp packets (embarrassed I know that) [2006-11-16 15:30:15] ah okay. i wasn't sure. [2006-11-16 15:30:32] does anyone know if per-packet load balancers treat UDP differently than TCP? [2006-11-16 15:31:39] ie, they would be smart enough to keep a TCP flow on the same link? [2006-11-16 15:32:38] from what I have heard (not seen) the pplb implementations do just that, and ignore flows. [2006-11-16 15:33:06] for udp, not tcp [2006-11-16 15:35:37] alteon and other L4 switches that do pplb almost always have an option which is almost always turned on that makes it do the same flow hashing as OSPF ECMP, so packets which are part of the same flow will be on the same path. [2006-11-16 15:35:42] http://public.oarci.net/files/workshop-2006/Jafaar-BGPanycast.pdf [2006-11-16 15:36:00] for udp also? [2006-11-16 15:36:06] if so, its not pplb ;-) [2006-11-16 15:36:19] more like pflb [2006-11-16 15:36:30] for udp also, due to nfs mobygram reassembly performance defects that occur otherwise. [2006-11-16 15:36:47] was going to say, some version of IOS would do per *destination* balancing for tcp flows (to keep it on the same path) [2006-11-16 15:36:52] it would have to do so, else it would break EDNS0 [2006-11-16 15:36:54] right, but it's called "load balancing" and it is or isn't per-packet vs. per-flow based on option settings that are not well described or well understood. [2006-11-16 15:37:46] wrt 'U [2006-11-16 15:37:51] as to L3 switches like extreme and foundry, they hash based on mac, so they TEND to keep flows together across IX fabrics, unless the endpoints are fancy or the IX participants are multiply connected to the same IX fabric. [2006-11-16 15:38:17] sorry: wrt TCP without UDP: TC might have come from a different server with resolver going to 'J' only after that [2006-11-16 15:39:51] btw, i just sent http://lists.oarci.net/pipermail/dns-operations/2006-November/001119.html and would be happy to discuss it at the bar tonight if i were in seattle... [2006-11-16 15:44:56]--- davidu (davidu@jabber.tisf.net/Psi) has become available [2006-11-16 15:46:13] matt-larson: good talk -- thinking about the random RSTs you see. Is it possible it's just "awesome" network security guys who setup their ipf/ipfw/iptables/pf firewall rules to send a RST on tcp:53 since "nobody needs TCP for dns" .... [2006-11-16 15:46:28] when it sees a policy violation [2006-11-16 15:46:38]--- Mike Damm has left: Replaced by new connection [2006-11-16 15:46:39]--- Mike Damm (mike@jabber.damm.info/Psi) has become available [2006-11-16 15:46:46]--- krellis (krellis@livejournal.com/Pandion) has become available [2006-11-16 15:48:59] David: Thanks. I was looking at RSTs sent by J root, not received. [2006-11-16 15:50:06] Duane "Mr. Lightning" Wessels [2006-11-16 15:50:37] matt-larson: ahh, of course. sorry. clearly you can run your firewalls. :-) [2006-11-16 15:51:42] matt: could be that you're getting ACKs from victims who are getting packets spoofed from your addr/port 53? [2006-11-16 15:51:53] I did see other, legitmate, RSTs sent, though, e.g., clients who tried to keep connections open. After a few keepalives, we eventually grow tired of them and sent an RST. :-) [2006-11-16 15:52:11] John: But that would mean spoofing a TCP connection? [2006-11-16 15:53:22] http://dns.measurement-factory.com [2006-11-16 15:53:24] A sends TCP syn to B, forged with J addr/src port 53, B sends SYN/ACK to J, J sends RST to B [2006-11-16 15:53:34] then survey, open resolvers, database lookup [2006-11-16 15:53:34] http://dns.measurement-factory.com/cgi-bin/openresolverquery.pl [2006-11-16 15:53:42] Thanks Roy [2006-11-16 15:55:49] about transitions among servers: could that be explained by servers switching because the origin is close to two instances [2006-11-16 15:55:59] and one instance is good by AS-Path length metric [2006-11-16 15:56:04] and the other, by RTT [2006-11-16 15:56:34] so the origin is moving back and forth [2006-11-16 15:57:45] Sebastian, I will let those with strong BGP fu comment on that possibility [2006-11-16 15:59:30]--- ilyasukhar has left [2006-11-16 15:59:52] a simplier question: how long did you take to analyze the whole data? [2006-11-16 16:00:04] I've done similar analysis on .CL traces [2006-11-16 16:00:38] probably we don't have your computing power, and took several hours in one multi-processor computer [2006-11-16 16:03:34]--- weiler has left [2006-11-16 16:04:26]--- ilyasukhar (ilyasukhar@jabber.org/Home) has become available [2006-11-16 16:06:42]--- PeterLosher/ISC has left: Computer went to sleep [2006-11-16 16:14:02]--- ogud has left [2006-11-16 16:19:18] sebastian, note that oarc members can upload trace data to the hardware nsf bought for us, and run your analysis there, as long as the results are in support of the infrastructure (like .CL service) [2006-11-16 16:21:07] I wonder if anyone has explored the effects of a route science kind of box on an anycast network. [2006-11-16 16:23:05] what does a routescience box do exactly? most of us who anycast have monitoring boxes at every node. [2006-11-16 16:25:10] route science tries to pick the "best" route for traffic [2006-11-16 16:25:58] then routescience is selling snake oil. but i suspect we'd be happy to run skitter. [2006-11-16 16:26:00] vix: it uses ping and traceroute and other non-bgp metrics to try and make bgp feel like an IGP [2006-11-16 16:26:15] and it inserts /32's and /24's to route more specifics [2006-11-16 16:26:18] down certain uplinks [2006-11-16 16:26:24] or so my stupid brain understands it. [2006-11-16 16:26:41] it optimizes yer rooters [2006-11-16 16:28:08] like i said, snake oil. but i suspect that most anycasters are willing to collect skitter data if that'll help pinpoint whatever we'd like to learn about anycast that you thought routescience could teach us. [2006-11-16 16:31:24]--- PeterLosher/ISC (plosher@jabber.isc.org/Laptop) has become available [2006-11-16 16:34:17] http://public.oarci.net/files/workshop-2006/Musashi-Countermeasures.pdf [2006-11-16 16:34:19] Sebastian: just saw your question about time and hardware for analysis. The only challenging aspect was the size of the UDP tcpdump data set--about 12 GB compressed (if memory serves). But that's easily within reach of just about any hard disk. I made one pass through the dumps to extract for every query. I did that on an Opteron box, just to speed things up, but would have still been possible on just about any hardware. Most of the rest of the crunching and analysis I did on a my Macbook Pro, actually. [2006-11-16 16:35:14] how long did take? [2006-11-16 16:35:26]--- krellis has left [2006-11-16 16:35:37] it just a silly question, to know and talk to my students ;-) [2006-11-16 16:35:39] I'm sorry, but I can't remember, but not longer than an hour. [2006-11-16 16:45:14] matt: what did you use to get the geolocation info for the query sources? [2006-11-16 16:45:46] Digital Envoy [2006-11-16 16:45:49] Mark K did all that work [2006-11-16 16:45:56] ah, okay. thanks [2006-11-16 16:45:58] His xplanet fu is strong! [2006-11-16 16:46:03] hehheh [2006-11-16 16:46:29] I'll bug him about it later, then. thanks [2006-11-16 16:51:15] About geolocalization, check out http://www.cs.cornell.edu/~bwong/Octant/query.html (or generally, http://www.cs.cornell.edu/~bwong/octant/). Hope that's not too off topic. [2006-11-16 16:57:36]--- mo7sen (mo7sen75@jabber.org/Psi) has become available [2006-11-16 17:02:50]--- mo7sen has left: Logged out [2006-11-16 17:03:00]--- mo7sen (mo7sen75@jabber.org/Psi) has become available [2006-11-16 17:03:46] ilyasukhar: some of that is more like coordinate systems right? less than literal real-world geolocation? or am I thinking of meridian and some of the other projects....? [2006-11-16 17:03:59] network plane/coordinate systems, but not mapped to phsyical location [2006-11-16 17:04:18] Meridian is the network one. Octant is physical -- plug in opendns and it'll put it on a google map [2006-11-16 17:04:20] ilyasukhar: nevermind, I just wet to the site [2006-11-16 17:04:24] ilyasukhar: yeah, sorry [2006-11-16 17:04:32] ilyasukhar: opendns is anycasted [2006-11-16 17:04:33] :-) [2006-11-16 17:04:38] :) [2006-11-16 17:04:38]--- weiler (weiler@jabber.org/Gaim) has become available [2006-11-16 17:04:40] 209.67.222.222 better be in seattle!!! [2006-11-16 17:04:50] not my project, dont skewer me if it doesn't work [2006-11-16 17:05:01] I guess it'll be in NYC or ASH from cornell [2006-11-16 17:05:04] depends on what box it's running on [2006-11-16 17:05:38] oh, it must use a lot. it can't triangulate it, I broked it: :-) http://gattaca.cs.cornell.edu:8080/?url=208.67.222.222 [2006-11-16 17:09:21]--- mo7sen has left: Logged out [2006-11-16 17:11:10]--- sleach@jabber.ultradns.net has left [2006-11-16 17:13:51] Updating next presentation on website, please wait... [2006-11-16 17:13:59] http://public.oarci.net/files/workshop-2006/Huffaker-TwoDays.pdf [2006-11-16 17:14:15] Above URL is not up to date [2006-11-16 17:15:10]--- trall has left [2006-11-16 17:18:38] Now on slide 8 [2006-11-16 17:25:31] he's now talking about www.datcat.org, the thing i mentioned earlier [2006-11-16 17:26:14] colleen gave a slide deck on it, not the same slides, but for those who do better with some written content http://www.caida.org/publications/presentations/2006/colleen_wide0611_datcat/ [2006-11-16 17:32:56] KC's talking about slide 7 [2006-11-16 17:35:19] it's a problem with the tubes in Dehli [2006-11-16 17:35:57] wow, tough room! [2006-11-16 17:36:55] I dare you to say that at the mic. :) [2006-11-16 17:39:00] http://public.oarci.net/files/workshop-2006/Toyono-StubIPv6.pdf [2006-11-16 17:48:38] if it's any consolation, a colleague did some research and Vista's stub resolver doesn't send AAAA queries unless it has an active IPv6 interface [2006-11-16 17:48:42] at least that's what our research showed [2006-11-16 17:48:49] it's possible there's more to it than what we were able to test [2006-11-16 17:49:37] ahh, slide 22 shows our testing didn't suck [2006-11-16 17:58:36] Any questions ? [2006-11-16 18:02:08]--- davidu has left [2006-11-16 18:02:25]--- ilyasukhar has left [2006-11-16 18:05:32] Closing down audio conference until 08:30 tomorrow [2006-11-16 18:05:39] Bye and thanks for joining in ! [2006-11-16 18:06:10]--- marks has left [2006-11-16 18:06:12]--- PeterLosher/ISC has left [2006-11-16 18:06:28]--- markk has left [2006-11-16 18:06:31]--- wessels has left [2006-11-16 18:06:34]--- kc has left [2006-11-16 18:06:34]--- matt-larson has left: Logged out [2006-11-16 18:06:34]--- roy@uk has left [2006-11-16 18:06:53]--- bverd has left [2006-11-16 18:07:20] dns-operations list will restart @10:30 tomorrow [2006-11-16 18:07:37]--- roy-h has left [2006-11-16 18:07:47]--- koji has left [2006-11-16 18:07:49] Member-only session will use private jabber groupchat 08:30-10:00 [2006-11-16 18:08:12]--- jtk has left [2006-11-16 18:08:52]--- Rodney has left: Logged out [2006-11-16 18:09:03]--- fneves has left: Logged out [2006-11-16 18:09:07]--- Matt Pounsett has left [2006-11-16 18:29:41]*keith has set the topic to: OARC Workshop 2006 re-starts at 10:30 PST tomorrow [2006-11-16 18:29:43] Bye [2006-11-17 00:19:44]--- AprilDL (aprildl@jabber.tisf.net/Psi) has become available [2006-11-17 00:19:44]--- bwatson (bwatson@jabber.oarc.isc.org/tkabber) has become available [2006-11-17 00:19:44]--- kmkaplan (kmkaplan@im.apinc.org/Psi) has become available [2006-11-17 00:19:44]--- rstory (rstory@jabber.org/jabber) has become available [2006-11-17 09:10:28]--- AprilDL (aprildl@jabber.tisf.net/Psi) has become available [2006-11-17 09:10:28]--- bwatson (bwatson@jabber.oarc.isc.org/tkabber) has become available [2006-11-17 09:10:28]--- kmkaplan (kmkaplan@im.apinc.org/Psi) has become available [2006-11-17 09:10:28]--- ogud (ogud@jabber.org/Exodus) has become available [2006-11-17 09:11:11]--- AprilDL (aprildl@jabber.tisf.net/Psi) has become available [2006-11-17 09:11:11]--- bwatson (bwatson@jabber.oarc.isc.org/tkabber) has become available [2006-11-17 09:11:11]--- kmkaplan (kmkaplan@im.apinc.org/Psi) has become available [2006-11-17 09:11:11]--- ogud (ogud@jabber.org/Exodus) has become available [2006-11-17 09:12:49]--- keith (keith@jabber.oarc.isc.org/vaio1) has become available [2006-11-17 09:25:51]--- matt-pounsett (mpounsett@jabber.oarc.isc.org/Adium) has become available [2006-11-17 09:26:15]--- pk (pkoch@jabber.oarc.isc.org/Psi) has become available [2006-11-17 09:26:29]--- roy-hooper (rhooper@jabber.oarc.isc.org/Adium) has become available [2006-11-17 09:43:51]--- marks (marks@jabber.oarc.isc.org/Laptoy) has become available [2006-11-17 09:49:03]--- jtk@jabber.oarc.isc.org (jtk@jabber.oarc.isc.org/Adium) has become available [2006-11-17 09:49:11]--- jtk@jabber.oarc.isc.org has left [2006-11-17 09:49:22]--- jtk (jtk@jabber.oarc.isc.org/Adium) has become available [2006-11-17 09:51:21]--- geoff (geoff@jabber.oarc.isc.org/Gaim) has become available [2006-11-17 10:26:07]--- roy-hooper has left [2006-11-17 10:26:30]--- roy-hooper (rhooper@jabber.oarc.isc.org/Adium) has become available [2006-11-17 11:13:26]--- vix (vixie@jabber.oarc.isc.org/human) has become available [2006-11-17 11:16:56]--- suresh_k@jabber.org (suresh_k@jabber.org/Adium) has become available [2006-11-17 11:17:53]--- suresh_k@jabber.org has left [2006-11-17 11:33:07]--- rstory (rstory@jabber.org/jabber) has become available [2006-11-17 11:33:57]--- weiler (weiler@jabber.org/Gaim) has become available [2006-11-17 11:34:35]*rstory has changed the subject to: OARC Workshop 2006 re-starts at 10:30 PST tomorrow; Teleconf on +1 866 500 6738 [2006-11-17 11:36:16]*keith has set the topic to: OARC Workshop 2006: Audio on +1 866 500 6738 [2006-11-17 11:36:41] keith is calling this late meeting to order [2006-11-17 11:39:12]--- Rodney (rjoffe@jabber.oarc.isc.org/Adium) has become available [2006-11-17 11:39:32] URL for Roy's slides? [2006-11-17 11:39:41]--- suresh (suresh_k@jabber.org/Adium) has become available [2006-11-17 11:39:44] they're not being publicized [2006-11-17 11:39:49]--- Mike Damm (mike@jabber.damm.info/Psi) has become available [2006-11-17 11:40:06]--- bverd (bverd@ecotroph.net/Exodus) has become available [2006-11-17 11:40:10] I thought Keith said they'd be available to the folks here, at least. [2006-11-17 11:40:27]--- mattlarson (matt@ecotroph.net/Adium-VeriSign) has become available [2006-11-17 11:40:27] And should NOT be discussed outside this conference, I believe. [2006-11-17 11:40:35] DO NOT REDSITRIBUTE: http://public.oarci.net/files/workshop-2006/Arends-msdnsspoof.pdf [2006-11-17 11:40:46] ah, okay.. guess I misheard roy earlier. my bad [2006-11-17 11:42:38] similar to the pigeonhole principle? [2006-11-17 11:55:23] http://en.wikipedia.org/wiki/Birthday_paradox [2006-11-17 11:57:39]--- kc (kc@jabber.caida.org/Psi) has become available [2006-11-17 12:00:33] slides? [2006-11-17 12:00:48] NSEC, not NSEC3? [2006-11-17 12:01:07] http://public.oarci.net/files/workshop-2006/Microsoft-DNSSEC.ppt [2006-11-17 12:02:10] key rollovers? [2006-11-17 12:05:08] What about DLV? [2006-11-17 12:09:12]--- ilyasukhar (ilyasukhar@jabber.org/Home) has become available [2006-11-17 12:09:35] for those that can't see, microsoft is being swarmed by the room [2006-11-17 12:09:38] MS team available until 11:15 for discussion, session break until then [2006-11-17 12:09:57] biz card-swapping frenzy.... [2006-11-17 12:20:12] Finally got room under control ! Panel starting, discussion with no slides [2006-11-17 12:37:29]--- sebastian.castro (sebastian.castro@jabber.org/Work) has become available [2006-11-17 12:40:07]--- Antoin (antoin@jabber.org/Psi) has become available [2006-11-17 12:44:59]--- marks has left [2006-11-17 12:49:49] 12% of UDP DNS queries to the one million packet snapshot I referred to in my presentation yesterday have a source port of 53 [2006-11-17 12:51:02] how easy is it to find the % number of source addresses that also have a source port 53? [2006-11-17 12:51:06] i think that dns amp attacks are like source spoofing. the people who need to be able to use them don't want to use them too often lest the supply ever be choked off. [2006-11-17 12:51:08] any explanation for those numbers? [2006-11-17 12:51:56] explanation: old configs, I'd guess [2006-11-17 12:52:37] i though i have the source ports on my data [2006-11-17 12:52:45] Many people configured BIND 8 to use source port 53 because that's what BIND 4 did and things no longer woked when they upgraded [2006-11-17 12:52:51] and I suspect many of those legacy configs endure [2006-11-17 12:52:53] i'm going to try to get an additional view... [2006-11-17 12:53:26] Matt, I will crunch numbers to answer your question... [2006-11-17 12:53:32] thanks [2006-11-17 12:54:01] bind8 did not originally have the option of setting the source port on queries. we had to add it because people complained that without this bind4-like behaviour as an option, they could not upgrade from bind4. all because of firewall configs, apparently. [2006-11-17 12:55:01]--- dagon (dagon@jabber.oarc.isc.org/Psi) has become available [2006-11-17 12:55:17]--- bverd has left [2006-11-17 12:55:25]--- bverd (bverd@ecotroph.net/Exodus) has become available [2006-11-17 12:55:32]--- bverd has left [2006-11-17 12:57:28]--- bverd (bverd@jabber.org/Gaim) has become available [2006-11-17 12:59:28]--- suresh has left [2006-11-17 13:00:59] regarding Matt's questions about source IP addresses for source port 53 vs. non source port 53... [2006-11-17 13:01:07] in my one million packet sample: [2006-11-17 13:01:28] 1948 source IP addresses send with source port 53 [2006-11-17 13:01:41] 16997 source IP addresses send with non source port 53 [2006-11-17 13:01:48] that's 11.4% send source port 53 [2006-11-17 13:01:51] so same ratio [2006-11-17 13:01:52] interesting [2006-11-17 13:05:21] thanks matt. We're running some crunches on samples from our severs as well.. will report back in a few minutes [2006-11-17 13:08:31] Rodney: any fingerprinting of those? I'm curious to know if they tend to be DNSSEC-aware (will pass DNSSEC data unmangled). [2006-11-17 13:09:43] i'm analizing some pcap files for source port [2006-11-17 13:09:51] i hope i can get the number on time [2006-11-17 13:10:12]--- koji (koji@jabber.registro.br/Psi) has become available [2006-11-17 13:11:19] matt: in one case, scanning 2.3 million queries got 13831 source IPs w/ source port 53, out of a total 134573 source IPs (10.2%). In another, 2.1 million queries got 12202 source IPs out of 120978 with a source port 53 (10.1%) [2006-11-17 13:11:24] so, pretty close to your numbers. [2006-11-17 13:11:31] http://public.oarci.net/files/workshop-2006/Losher-DLV.pdf [2006-11-17 13:12:18] in a similar scan to matt p's on a different nameserver of ours, total queries 595034/6369734 (9.3%) had port 53 sources, from 209544 ips, 19900 (9.5%) of which had port 53 sources. [2006-11-17 13:12:33]--- mattlarson has left [2006-11-17 13:12:59]--- wessels (wessels@jabber.oarc.isc.org/Gaim) has become available [2006-11-17 13:13:21] sebastian.castro: did you ever make your enhancements to dnstop available? [2006-11-17 13:13:52]--- davidu (davidu@jabber.tisf.net/Psi) has become available [2006-11-17 13:13:59] fyi... I did a brief presentation at a prior nanog and I showed the usage of source ports in some slides: http://www.nanog.org/mtg-0602/lightning.html [2006-11-17 13:16:03] thanks jtk [2006-11-17 13:16:14]--- matt (matt@ecotroph.net/Adium-VeriSign) has become available [2006-11-17 13:17:06] not yet, i'd like to clear up the code first [2006-11-17 13:17:20] but probably i will release it "as-is" and then make improvements [2006-11-17 13:21:49] and in 9.3.latest [2006-11-17 13:21:54] it's been out for a while [2006-11-17 13:24:04] what's roy's own answer? [2006-11-17 13:27:15] Paul's preferences for avoiding the IETF aside: I worked with some of ISC's hands-on folks to produce draft-weiler-dnssec-dlv-01.txt, which the IETF is welcome to do something with, including publish. [2006-11-17 13:27:41] So does that draft exactly match ISC's implementation of DLV? [2006-11-17 13:31:32] I prefer not to make statements about ISC's code, however MarkA has made a (somewhat vaguely worded) public statement on the topic. [2006-11-17 13:31:46] Weiler says Mark Andrews claims it does, but that no one has specifically checked. [2006-11-17 13:32:19] Sam, you beat me to it. :) [2006-11-17 13:33:00] matt and matt. [2006-11-17 13:33:12] my numbers showed a 10% of queries coming from source port 53 [2006-11-17 13:33:26] seems to be consistent with your findings [2006-11-17 13:33:39]--- roy@uk (roy@dnss.ec/mbp) has become available [2006-11-17 13:34:29] Hummmm. Paul making assertions about what others have and haven't done. [2006-11-17 13:36:30]--- jad (jad@port53.org.uk/Psi) has become available [2006-11-17 13:37:39]--- jad has left [2006-11-17 13:38:46]--- koji has left [2006-11-17 13:39:34] Breaking for lunch until 13:30 PST [2006-11-17 13:41:03]--- weiler has left [2006-11-17 13:44:00]--- marks (marks@jabber.oarc.isc.org/Laptoy) has become available [2006-11-17 13:50:59]--- kc has left [2006-11-17 14:05:42]--- bverd has left [2006-11-17 14:12:53]--- bverd (bverd@jabber.org/Gaim) has become available [2006-11-17 14:13:50]--- davidu has left [2006-11-17 14:14:06]--- matt has left: Logged out [2006-11-17 14:18:00]--- kc (kc@jabber.caida.org/Psi) has become available [2006-11-17 14:18:27]--- Antoin has left [2006-11-17 14:18:53]--- matt (matt@ecotroph.net/Adium-VeriSign) has become available [2006-11-17 14:19:13]--- matt has left [2006-11-17 14:19:26]--- mattlarson (matt@ecotroph.net/Adium-VeriSign) has become available [2006-11-17 14:35:00]--- koji (koji@jabber.registro.br/Psi) has become available [2006-11-17 14:38:13] http://public.oarci.net/files/workshop-2006/Dickinson-Performance.pdf [2006-11-17 14:39:16] wrt sam's earlier comment about marka's comments on draft-weiler-dnssec-dlv-01.txt, i want to make sure everybody knows about http://www.isc.org/pubs/tn/isc-tn-2006-1.txt [2006-11-17 14:44:25] did you try binding multiple named processes to each ip address as well? [2006-11-17 14:46:06] One point to make about the T2000: it's apparently optimised to act as a web server, so if you run something like seive (integer performance benchmark) on it, it's surpisingly slow (something like a third of the performance of a 3.2 MHz AMD), but the system is heavily tuned for threading, so is quite powerful as a server. [2006-11-17 14:47:43] maybe he should have redirected the output to /dev/null [2006-11-17 14:50:21] can someone relay my question: did he try binding multiple named processes to each ip address as well? [2006-11-17 14:51:06] thanks [2006-11-17 14:51:12] Any other qns for John ? [2006-11-17 14:51:33] Geoff S commenting [2006-11-17 14:52:08] i have a question for john: [2006-11-17 14:52:35] did his BIND9 9.4.x version have atomic ops for the T2000? (--enable-atomic actually did something?) [2006-11-17 14:54:20] it makes a huge difference on normal sparcs and opterons. [2006-11-17 14:55:54] http://public.oarci.net/files/workshop-2006/Koch-dnsop67.pdf [2006-11-17 15:01:27]--- sebastian.castro has left: Replaced by new connection [2006-11-17 15:03:09] what does -enable-atomic do? [2006-11-17 15:03:29] bind goes nuclear of course [2006-11-17 15:09:59]--- weiler (weiler@jabber.org/Gaim) has become available [2006-11-17 15:10:41] --enable-atomic tells the BIND9 i/o core ("task manager") to wrap its pthread semaphore calls inside macros that use processor-specific atomic-test-and-set instructions to avoid the system calls most of the time. (we thought, when designing BIND9, that pthreads did this, because BSD MMAP had done it ten years earlier, but, we were terribly terribly wrong.) [2006-11-17 15:11:34] --enable-atomic is the reason 9.4 goes faster on multiprocessor than uniprocessor systems. it was done by jinmei of WIDE and KAME fame, based on the generous donation of his time and a travel budget by his employer (toshiba). [2006-11-17 15:12:30] http://public.oarci.net/files/workshop-2006/Dagon-Malware.pdf [2006-11-17 15:17:38]--- sebastian.castro (sebastian.castro@jabber.org/Work) has become available [2006-11-17 15:37:58]--- PeterLosher/ISC (plosher@jabber.isc.org/Laptop) has become available [2006-11-17 15:38:17] url? [2006-11-17 15:38:25] http://public.oarci.net/files/workshop-2006/Dagon-DNSBL.pdf [2006-11-17 15:50:54]--- fneves@jabber.registro.br (fneves@jabber.registro.br/Adium) has become available [2006-11-17 15:54:23]--- Rodney has left [2006-11-17 15:54:45] Any questions for David ? [2006-11-17 15:54:50]--- weiler has left [2006-11-17 15:55:26]--- Rodney (rjoffe@jabber.oarc.isc.org/Adium) has become available [2006-11-17 15:56:33]--- Rodney has left [2006-11-17 15:58:22]--- ogud has left: Replaced by new connection [2006-11-17 16:33:00] Any qns ? [2006-11-17 16:39:21] I guess .com and .net are a problem, then, since all name servers have a consistent origin AS [2006-11-17 16:39:51] only if you use the default configuration for zonecheck :) [2006-11-17 16:40:06] I guess we can't have .com as a subdomain of .fr then [2006-11-17 16:41:43] in that case, the tool should check for AS-Path [2006-11-17 16:42:10] or just mark everything a warning [2006-11-17 16:42:22] in the case of anycast, the same ASN will be part of different path (probing the existence of different instances) [2006-11-17 16:42:33] when IANA asked for delegation policy for TLD [2006-11-17 16:42:37] that idea was proposed [2006-11-17 17:12:21] Any questions for Carl ? [2006-11-17 17:18:41] closing down teleconf - thanks ! [2006-11-17 17:22:11]*keith has set the topic to: OARC Workshop 2006 now finished - thanks for participating !