Date: Tue, 26 Aug 2003 18:10:48 -0400 (EDT) From: Richard Welty Subject: relays.osirusoft.com To: nanog@merit.edu X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . although this has to do with spam, i think folks will agree that there's operational content here: relays.osirusoft.com is down, it's history, stop using it. it is currently returning 127.0.0.2 for everything, so if you're using it, you won't receive this, but at least those who don't use it will know what to say when the issue comes up. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security ____________________________________________________________________________ Date: Tue, 26 Aug 2003 21:14:29 -0400 (EDT) From: Richard Welty Subject: Re[2]: relays.osirusoft.com To: nanog@merit.edu X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . On Tue, 26 Aug 2003 20:59:22 -0400 (EDT) Mark Jeftovic wrote: > Returning 127.0.0.2 on everything would indeed be an ugly way to bow > out, but its been done before. Another RBL went out the same way > previously, can't remember which one (was it orbz?) it was more complicated than that. orbs went away without a clean shutdown plan, and one of the secondary DNS operators started answering with 127.0.0.2 to try and get people to stop querying his server. it worked, although with non-trivial pain attached. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security ____________________________________________________________________________ Date: 27 Aug 2003 07:37:26 +0000 From: Paul Vixie To: nanog@merit.edu Subject: Re: Re[2]: relays.osirusoft.com ok so this part does not mystify me... > Someone has been in contact with Joe via phone and posted > to another mailing list That Zhall Not Be Named that > exactly that is happening. The zone is dead, ... ...because running blackhole lists is surprisingly more hard than most people think. (witness the sorbs.net message here a few hours ago complaining of 50Kpkt/day query loads.) i've paid some dues in this area, so i feel qualified to say that "i told you so" on this topic. but at least there's no mystery. this part, on the other hand... > he's put > *.*.*.* in, he's asking people not to use it anymore. ...mystifies me. anyone who has read rfc1034 or rfc1035, even if they did not also read rfc2181 or rfc2136 or rfc2308, knows that in a zone containing the following wildcardish data: $ORIGIN example.vix.com. * 1H IN A 127.0.0.1 *.* 1H IN A 127.0.0.2 *.*.* 1H IN A 127.0.0.3 *.*.*.* 1H IN A 127.0.0.4 the result will be that only the top one will match: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16926 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUERY SECTION: ;; 40.30.20.10.example.vix.com, type = A, class = IN ;; ANSWER SECTION: 40.30.20.10.example.vix.com. 1H IN A 127.0.0.1 and that in a zone containing only this data: $ORIGIN example.vix.com. *.*.*.* 1H IN A 127.0.0.4 the result will be that none of them ever match: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44811 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; 40.30.20.10.example.vix.com, type = A, class = IN you don't even need to read draft-ietf-dnsext-wcard-clarify-01.txt to know that putting "*.*.*.*" into a zone won't actually mean, or do, *anything*. > It may be back in the future with a new network setup, > but right now consider it down. i'm not completely sure, but i don't think this list will see much action in the future from the sysadmins who had to make emergency config changes today to avoid bouncing all their e-mail. "once burned, twice shy," eh? when i deprecated the old $foo.maps.vix.com zones in favour of the their corresponding replacements $bar.mail-abuse.org some years ago, i had the foresight to ensure that no mail would be blocked by people who failed to put in the configuration change. now you can all see why that was nec'y. -- Paul Vixie ____________________________________________________________________________ Date: Wed, 27 Aug 2003 07:53:49 -0400 (EDT) From: jlewis@lewis.org To: nanog@merit.edu Subject: Re: Re[2]: relays.osirusoft.com On 27 Aug 2003, Paul Vixie wrote: > ...because running blackhole lists is surprisingly more hard > than most people think. (witness the sorbs.net message here > a few hours ago complaining of 50Kpkt/day query loads.) i've Matt wasn't complaining about query loads. And 50Kpkt/day in queries is nothing anyway. He was complaining about being DDoS'd by spammers or others who just don't like dnsbls. AFAIK, SORBS, SPEWS, and Osirusoft have all been the targets of DDoS's for a few weeks. > this part, on the other hand... > > > he's put > > *.*.*.* in, he's asking people not to use it anymore. > > ...mystifies me. anyone who has read rfc1034 or rfc1035, even > if they did not also read rfc2181 or rfc2136 or rfc2308, knows > that in a zone containing the following wildcardish data: > > $ORIGIN example.vix.com. > * 1H IN A 127.0.0.1 > *.* 1H IN A 127.0.0.2 This was just a misunderstanding on the part of the previous poster. Unless he has a copy of the zone (not likely given the unreliability of Joe's DNS servers lately), he wouldn't be able to see this. I think he just wasn't familiar with how wildcards worked and assumed each * only matched one [^.]*, which is incorrect. AFAICT, what he did add was: * 24H A 127.0.0.2 24H TXT "Please stop using relays.osirusoft.com" which is much worse than just emptying the zone, removing it from the NS's, or shutting down the DNS servers. > when i deprecated the old $foo.maps.vix.com zones in favour of the their > corresponding replacements $bar.mail-abuse.org some years ago, i had the > foresight to ensure that no mail would be blocked by people who failed to > put in the configuration change. now you can all see why that was nec'y. Mail would only have been blocked if you had done something crazy like the above. Mail was delayed (and servers put under heavy load waiting for DNS queries to time out) when MAPS finally shut off free access without warning (a week or more after they originally had warned they'd do it, but gave everyone an extension when there was massive public outcry and they were unable to keep up with inquiries about buying access). ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________