On DNS for postgresql.org
Hi,
Now that the DNS is back (thanks!), I thought I'd ask why the ra bit
is set on the responses. Are those servers providing recursion to
the whole Net? (They seem to be.) If so, that's a Bad Thing.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
If they don't do anything, we don't need their acronym.
--Josh Hamilton, on the US FEMA
On Sep 6, 2006, at 9:50 AM, Andrew Sullivan wrote:
Hi,
Now that the DNS is back (thanks!), I thought I'd ask why the ra bit
is set on the responses. Are those servers providing recursion to
the whole Net? (They seem to be.) If so, that's a Bad Thing.
There's not anything like universal agreement on whether that's
a bad thing, or not. Also the servers are volunteer provided, so
it's not really anyones business other than the server owners.
Cheers,
Steve
Andrew Sullivan wrote:
Hi,
Now that the DNS is back (thanks!), I thought I'd ask why the ra bit
is set on the responses. Are those servers providing recursion to
the whole Net? (They seem to be.) If so, that's a Bad Thing.A
Yes, they do seem to be and yes it probably is a Bad Thing:
$ dig @ns3.hub.org www.mysql.com
; <<>> DiG 9.3.1 <<>> @ns3.hub.org www.mysql.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58427
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;www.mysql.com. IN A
;; ANSWER SECTION:
www.mysql.com. 3600 IN A 213.115.162.29
www.mysql.com. 3600 IN A 213.115.162.82
www.mysql.com. 3600 IN A 213.136.52.29
www.mysql.com. 3600 IN A 213.136.52.82
;; AUTHORITY SECTION:
mysql.com. 3600 IN NS dns1.mysql.com.
mysql.com. 3600 IN NS dns2.mysql.com.
mysql.com. 3600 IN NS dns3.mysql.com.
mysql.com. 3600 IN NS dns5.mysql.com.
;; Query time: 409 msec
;; SERVER: 200.46.204.254#53(200.46.204.254)
;; WHEN: Wed Sep 6 10:15:56 2006
;; MSG SIZE rcvd: 171
On Wed, Sep 06, 2006 at 09:59:29AM -0700, Steve Atkins wrote:
There's not anything like universal agreement on whether that's
a bad thing, or not.
Uh, well, there sure is right now among TLD operators. Wide-open
recursion is being used in a denial of service attack that causes
orders-of-magnitude amplification traffic against the target servers.
In fact, there are some who are blacklisting open recursive servers,
and there's an effort afoot to get the news out:
http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-reflectors-are-evil/
(Another draft is expected Real Soon Now, with a less-inflammatory
filename.)
Also the servers are volunteer provided, so
it's not really anyones business other than the server owners.
Given that the entire postgresql.org infrastructure just went off the
air because of what sure looked to me like an error in
administration, I submit that it _is_ others' business how the
infrastructure is managed
A
--
Andrew Sullivan | ajs@crankycanuck.ca
The plural of anecdote is not data.
--Roger Brinner
steve@blighty.com (Steve Atkins) writes:
On Sep 6, 2006, at 9:50 AM, Andrew Sullivan wrote:
Now that the DNS is back (thanks!), I thought I'd ask why the ra bit
is set on the responses. Are those servers providing recursion to
the whole Net? (They seem to be.) If so, that's a Bad Thing.There's not anything like universal agreement on whether that's a
bad thing, or not.
I'll leave that to others...
Also the servers are volunteer provided, so it's not really anyones
business other than the server owners.
If you are fine with people casting arbitrary aspersions against the
users of PostgreSQL, then perhaps so.
I wouldn't expect any self-respecting project that prides itself on
reliability would be willing to live with this, though...
--
let name="cbbrowne" and tld="acm.org" in name ^ "@" ^ tld;;
http://www3.sympatico.ca/cbbrowne/linuxdistributions.html
'Typos in FINNEGANS WAKE? How could you tell?' -- Kim Stanley Robinson
Also the servers are volunteer provided, so
it's not really anyones business other than the server owners.Given that the entire postgresql.org infrastructure just went off the
air because of what sure looked to me like an error in
administration, I submit that it _is_ others' business how the
infrastructure is managed
When you commit to providing services to this community, it is
absolutely the business of that community on how the infrastructure is
managed.
The people offering these services have a responsibility to insure that
their infrastructure is well managed. If people are not up to that
responsibility, there are plenty of providers willing to take it on.
Sincerely,
Joshua D. Drake
A
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
On Sep 6, 2006, at 5:29 PM, Joshua D. Drake wrote:
Also the servers are volunteer provided, so
it's not really anyones business other than the server owners.Given that the entire postgresql.org infrastructure just went off the
air because of what sure looked to me like an error in
administration, I submit that it _is_ others' business how the
infrastructure is managedWhen you commit to providing services to this community, it is
absolutely the business of that community on how the infrastructure
is managed.
It is the business of the community that the services provided are
adequate and stable, certainly. That's become rather obvious recently.
Irrelevant details of the server configuration that do not directly
affect those services aren't really something to gossip about on a
public mailing list, though.
The two are quite different things.
The people offering these services have a responsibility to insure
that their infrastructure is well managed. If people are not up to
that responsibility, there are plenty of providers willing to take
it on.
Cheers,
Steve
Steve Atkins wrote:
On Sep 6, 2006, at 5:29 PM, Joshua D. Drake wrote:
When you commit to providing services to this community, it is
absolutely the business of that community on how the infrastructure
is managed.It is the business of the community that the services provided are
adequate and stable, certainly. That's become rather obvious recently.Irrelevant details of the server configuration that do not directly
affect those services aren't really something to gossip about on a
public mailing list, though.The two are quite different things.
Andrew was apparently suggesting that the configuration issue he
mentioned is not irrelevant, and may be the actual cause of the
problems. Since he works for a domain registrar, I'm prepared to assume,
at least as a working hypothesis, that he knows what he's talking about.
At the least, I suggest it's wise to consider his opinion rather than
tell him it's not his business.
Tim
--
-----------------------------------------------
Tim Allen tim@proximity.com.au
Proximity Pty Ltd http://www.proximity.com.au/
When you commit to providing services to this community, it is
absolutely the business of that community on how the infrastructure is
managed.It is the business of the community that the services provided are
adequate and stable, certainly. That's become rather obvious recently.Irrelevant details of the server configuration that do not directly
affect those services aren't really something to gossip about on a
public mailing list, though.
I can agree with that.
Sincerely,
Joshua D. Drake
The two are quite different things.
The people offering these services have a responsibility to insure
that their infrastructure is well managed. If people are not up to
that responsibility, there are plenty of providers willing to take it on.Cheers,
Steve---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
On Sep 6, 2006, at 5:58 PM, Tim Allen wrote:
Steve Atkins wrote:
On Sep 6, 2006, at 5:29 PM, Joshua D. Drake wrote:
When you commit to providing services to this community, it is
absolutely the business of that community on how the
infrastructure is managed.It is the business of the community that the services provided
are adequate and stable, certainly. That's become rather obvious
recently.
Irrelevant details of the server configuration that do not
directly affect those services aren't really something to gossip
about on a public mailing list, though.
The two are quite different things.Andrew was apparently suggesting that the configuration issue he
mentioned is not irrelevant, and may be the actual cause of the
problems.
No, he wasn't.
He was arguing that having a nameserver that allows resolution to the
entire net is a bad thing because it allows abusers to wash DoS
attacks through them. That's a perfectly reasonably opinion to have,
but one that's very unlikely to be related to recent problems with
the domain in question.
Since he works for a domain registrar, I'm prepared to assume, at
least as a working hypothesis, that he knows what he's talking
about. At the least, I suggest it's wise to consider his opinion
rather than tell him it's not his business.
If we were playing DNS body part size wars then who has the bigger
DNS clue might be relevant. We're not, though. Rather I'm saying that
publicly criticizing people who volunteer services to a project,
about things that are not related to the services they're providing
is at best a little impolite.
Cheers,
Steve
Irrelevant details of the server configuration that do not directly
affect those services aren't really something to gossip about on a
public mailing list, though.The two are quite different things.
Andrew was apparently suggesting that the configuration issue he
mentioned is not irrelevant, and may be the actual cause of the
problems. Since he works for a domain registrar, I'm prepared to assume,
at least as a working hypothesis, that he knows what he's talking about.
At the least, I suggest it's wise to consider his opinion rather than
tell him it's not his business.
Well, I can vouch for Andrew and his knowledge (not that he needs me to).
Joshua D. Drake
Tim
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
* Steve Atkins (steve@blighty.com) wrote:
If we were playing DNS body part size wars then who has the bigger
DNS clue might be relevant. We're not, though. Rather I'm saying that
publicly criticizing people who volunteer services to a project,
about things that are not related to the services they're providing
is at best a little impolite.
They provide DNS. It's about the DNS service they provide being
potentially abusable to DoS and possibly blacklisted (thus causing
non-obvious outage to portions of the network). Therefore, it's
certainly regarding the services they're providing and how what they're
doing could affect usage of that service by the community.
Now, we're certainly very grateful for the services provided and for the
time spent by the hard working admins to keep everything going. This
wasn't an attack on them but rather an attempt to bring to their
attention an issue they may not have been aware of and may be quite
happy to look into. Unfortunately, your insistance that it's bad to be
public about a public service, even after being corrected multiple
times, has made it into an attack which you're trying to defend the
admins against without any call or request from them for you to.
Indeed, they may feel that bringing it up on a community list is the
appropriate and encouraged thing to do when it involves the servers or
service provided to the community.
Thanks,
Stephen
If we were playing DNS body part size wars then who has the bigger DNS
clue might be relevant. We're not, though. Rather I'm saying that
publicly criticizing people who volunteer services to a project, about
things that are not related to the services they're providing is at best
a little impolite.
Well this is fun. I suggest that you review Andrew's comments again.
Nothing he said was personal, they were direct criticisms of possible
technical administration failures.
We are not in the business of protecting egos for technical matters
here. If Andrew has said something to the effect of, "WTF Marc, do you
have a clue about what you are doing?" I would agree with your statement.
Andrew did not do any such thing. He merely presented his rather well
informed opinion on the matter of DNS and possible issues with the
current configuration. Frankly, he is correct, open recursive servers
are a bad idea. This isn't 2001, we need to be very careful with our
resources.
I see nothing wrong with that.
Sincerely,
Joshua D. Drake
Cheers,
Steve---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
On Sep 6, 2006, at 6:41 PM, Joshua D. Drake wrote:
Irrelevant details of the server configuration that do not
directly affect those services aren't really something to gossip
about on a public mailing list, though.The two are quite different things.
Andrew was apparently suggesting that the configuration issue he
mentioned is not irrelevant, and may be the actual cause of the
problems. Since he works for a domain registrar, I'm prepared to
assume, at least as a working hypothesis, that he knows what he's
talking about. At the least, I suggest it's wise to consider his
opinion rather than tell him it's not his business.Well, I can vouch for Andrew and his knowledge (not that he needs
me to).
Enough. I didn't intend to insult anyone in this thread, merely
thought that one original comment was a little rude.
My apologies to anyone who's upset or been distracted. Lets go back
to database-related stuff.
Cheers,
Steve
On Thu, 7 Sep 2006, Tim Allen wrote:
Andrew was apparently suggesting that the configuration issue he
mentioned is not irrelevant, and may be the actual cause of the
problems. Since he works for a domain registrar, I'm prepared to assume,
at least as a working hypothesis, that he knows what he's talking about.
At the least, I suggest it's wise to consider his opinion rather than
tell him it's not his business.
Agreed, for which I email'd him offlist about the issue ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
On Wed, 6 Sep 2006, Joshua D. Drake wrote:
If we were playing DNS body part size wars then who has the bigger DNS clue
might be relevant. We're not, though. Rather I'm saying that publicly
criticizing people who volunteer services to a project, about things that
are not related to the services they're providing is at best a little
impolite.Well this is fun. I suggest that you review Andrew's comments again. Nothing
he said was personal, they were direct criticisms of possible technical
administration failures.
Agreed ... I know I didn't take his comments personally, and as soon as I
read them, I email'd him offlist asking for pointers / elaboration, as it
was the first I knew that I might have something 'bad' setup ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
On Wed, Sep 06, 2006 at 06:23:06PM -0700, Steve Atkins wrote:
DNS clue might be relevant. We're not, though. Rather I'm saying that
publicly criticizing people who volunteer services to a project,
about things that are not related to the services they're providing
is at best a little impolite.
Actually, the real problem (as a couple people pointed out to me
privately, for which I am thankful) is that I did it on the wrong
list. But for the record: I wasn't trying to be critical; I was
trying to solve a problem. If I appeared to be attacking anyone, I
do apologise.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
"The year's penultimate month" is not in truth a good way of saying
November.
--H.W. Fowler