Re: Hub.org DNS

Marc,

Can you please confirm which of the hub.org DNS servers do and do not
allow recursion now, and if things are going to stay that way? We're
finding that some things appear to have broken recently, apparently
because they no longer have a suitable DNS server configured (rsync
access via hostname on svr4, email address validation on wwwmaster).

A quick test shows that ns, ns2 and ns4 are recursive, but ns3 is not at
present.

Cheers, Dave.

Dave Page wrote:
> Marc,
>
> Can you please confirm which of the hub.org DNS servers do and do not
> allow recursion now, and if things are going to stay that way? We're
> finding that some things appear to have broken recently, apparently
> because they no longer have a suitable DNS server configured (rsync
> access via hostname on svr4, email address validation on wwwmaster).

That is probably the result of trying to tighten up security on the
resolvers (iirc you even have been cc'd in those mails) a while ago

>
> A quick test shows that ns, ns2 and ns4 are recursive, but ns3 is not at
> present.

well we should make sure that all our authoritative nameservers are NOT
providing recursion to the world - so we need to find a way to restrict
recursion to some limited hosts/ranges.

Stefan

Stefan Kaltenbrunner wrote:
> Dave Page wrote:
>> Marc,
>>
>> Can you please confirm which of the hub.org DNS servers do and do not
>> allow recursion now, and if things are going to stay that way? We're
>> finding that some things appear to have broken recently, apparently
>> because they no longer have a suitable DNS server configured (rsync
>> access via hostname on svr4, email address validation on wwwmaster).
>
> That is probably the result of trying to tighten up security on the
> resolvers (iirc you even have been cc'd in those mails) a while ago

Yeah, I do remember it.

>> A quick test shows that ns, ns2 and ns4 are recursive, but ns3 is not
>> at present.
>
> well we should make sure that all our authoritative nameservers are NOT
> providing recursion to the world - so we need to find a way to restrict
> recursion to some limited hosts/ranges.

Or split the 4 into defined roles. Either way though, I'd like some
clarifcation on what the official strategy is so I can make sure the
vservers are all correct now, and bug him further if there are any
additional problems.

Regards, Dave.

Dave Page wrote:
> Marc,
>
> Can you please confirm which of the hub.org DNS servers do and do not
> allow recursion now, and if things are going to stay that way? We're
> finding that some things appear to have broken recently, apparently
> because they no longer have a suitable DNS server configured (rsync
> access via hostname on svr4, email address validation on wwwmaster).
>
> A quick test shows that ns, ns2 and ns4 are recursive, but ns3 is not at
> present.

Hmm, now I'm not even sure about that - the testing above was on
www.microsoft.com, however one of the mirrors having problems is
212.100.160.33 which doesn't resolve on any of the 4 hub servers, yet is
fine from various ISP's servers on this side of the pond.

Any ideas?

Regards, Dave

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Monday, December 11, 2006 13:18:48 +0100 Stefan Kaltenbrunner
<stefan(at)kaltenbrunner(dot)cc> wrote:

> well we should make sure that all our authoritative nameservers are NOT
> providing recursion to the world - so we need to find a way to restrict
> recursion to some limited hosts/ranges.

'k, unless I've missed somethign here, I've just checked all 4 name servers,
and they all have:

options {
allow-recursion {huborg;};
};

acl huborg {
200.46.204.0/24;
200.46.208.0/24;
206.223.169.0/24;
};

Something else I need to add?

- ----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy(at)hub(dot)org MSN . scrappy(at)hub(dot)org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFfVW34QvfyHIvDvMRAmerAKCYuDCQEV1QwTrkmU+HAqB+AuFGEQCguFwX
Li5kSiFb8mXCcrqBKRzgvCs=
=t76/
-----END PGP SIGNATURE-----

Marc G. Fournier wrote:
> 'k, unless I've missed somethign here, I've just checked all 4 name servers,
> and they all have:
>
> options {
> allow-recursion {huborg;};
> };
>
> acl huborg {
> 200.46.204.0/24;
> 200.46.208.0/24;
> 206.223.169.0/24;
> };
>
> Something else I need to add?

Per our conversation on IM earlier,

Name: svr4.postgresql.org
Address: 66.98.251.159

Name: svr2.postgresql.org
Address: 65.19.161.90

Name: borg.postgresql.org
Address: 65.19.161.2

Name: wwwmaster.postgresql.org
Address: 65.19.161.25

Regards, Dave.

Dave Page wrote:
> Marc G. Fournier wrote:
>> 'k, unless I've missed somethign here, I've just checked all 4 name
>> servers, and they all have:
>>
>> options {
>> allow-recursion {huborg;};
>> };
>>
>> acl huborg {
>> 200.46.204.0/24;
>> 200.46.208.0/24;
>> 206.223.169.0/24;
>> };
>>
>> Something else I need to add?
>
> Per our conversation on IM earlier,
>
> Name: svr4.postgresql.org
> Address: 66.98.251.159
>
> Name: svr2.postgresql.org
> Address: 65.19.161.90
>
> Name: borg.postgresql.org
> Address: 65.19.161.2
>
> Name: wwwmaster.postgresql.org
> Address: 65.19.161.25

maybe it would be better to add local resolvers in the networks of the
ISPs hosting those servers - those are "nearer" to the boxes and seems
like a natural solution (just like we did for tribble/romulus)

Stefan

Dave Page wrote:
> Dave Page wrote:
>> Marc,
>>
>> Can you please confirm which of the hub.org DNS servers do and do not
>> allow recursion now, and if things are going to stay that way? We're
>> finding that some things appear to have broken recently, apparently
>> because they no longer have a suitable DNS server configured (rsync
>> access via hostname on svr4, email address validation on wwwmaster).
>>
>> A quick test shows that ns, ns2 and ns4 are recursive, but ns3 is not
>> at present.
>
> Hmm, now I'm not even sure about that - the testing above was on
> www.microsoft.com, however one of the mirrors having problems is
> 212.100.160.33 which doesn't resolve on any of the 4 hub servers, yet is
> fine from various ISP's servers on this side of the pond.

I would guess that the hub.org-resolvers you tested had
www.microsoft.com cached - so it delivered the response from cache and
did not actually recurse.

Stefan

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Monday, December 11, 2006 14:23:10 +0100 Stefan Kaltenbrunner
<stefan(at)kaltenbrunner(dot)cc> wrote:

> Dave Page wrote:
>> Marc G. Fournier wrote:
>>> 'k, unless I've missed somethign here, I've just checked all 4 name
>>> servers, and they all have:
>>>
>>> options {
>>> allow-recursion {huborg;};
>>> };
>>>
>>> acl huborg {
>>> 200.46.204.0/24;
>>> 200.46.208.0/24;
>>> 206.223.169.0/24;
>>> };
>>>
>>> Something else I need to add?
>>
>> Per our conversation on IM earlier,
>>
>> Name: svr4.postgresql.org
>> Address: 66.98.251.159
>>
>> Name: svr2.postgresql.org
>> Address: 65.19.161.90
>>
>> Name: borg.postgresql.org
>> Address: 65.19.161.2
>>
>> Name: wwwmaster.postgresql.org
>> Address: 65.19.161.25
>
> maybe it would be better to add local resolvers in the networks of the ISPs
> hosting those servers - those are "nearer" to the boxes and seems like a
> natural solution (just like we did for tribble/romulus)

Actually, just thought about / mentioned that to Dave ... :)

Will work on cleaning this up some this afternoon ...

- ----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy(at)hub(dot)org MSN . scrappy(at)hub(dot)org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFfV7A4QvfyHIvDvMRAkVKAJ4/iDLKM7ZhF5pVEAV1sFm8eKUr6gCeKn4/
c8WoiZMg1MMN2JzDJrahe68=
=Um45
-----END PGP SIGNATURE-----

Stefan Kaltenbrunner wrote:

> maybe it would be better to add local resolvers in the networks of the
> ISPs hosting those servers - those are "nearer" to the boxes and seems
> like a natural solution (just like we did for tribble/romulus)

They do/will, but will use hub.org as backups.

Regards, Dave

Stefan Kaltenbrunner wrote:
> I would guess that the hub.org-resolvers you tested had
> www.microsoft.com cached - so it delivered the response from cache and
> did not actually recurse.

Ah - didn't realise it would still answer from cache if it could,
despite it effectively being a recursive query.

Regards, Dave.

On Mon, Dec 11, 2006 at 01:37:20PM +0000, Dave Page wrote:
>
> Ah - didn't realise it would still answer from cache if it could,
> despite it effectively being a recursive query.

Some BIND releases do that, and others don't. There's far from
universal agreement about what to do, I think.

A

--
Andrew Sullivan | ajs(at)crankycanuck(dot)ca
Information security isn't a technological problem. It's an economics
problem.
--Bruce Schneier

Andrew Sullivan wrote:
> On Mon, Dec 11, 2006 at 01:37:20PM +0000, Dave Page wrote:
>> Ah - didn't realise it would still answer from cache if it could,
>> despite it effectively being a recursive query.
>
> Some BIND releases do that, and others don't. There's far from
> universal agreement about what to do, I think.

:-(

Thanks for the clarification.

Regards, Dave

> > A quick test shows that ns, ns2 and ns4 are recursive, but ns3 is not at
> > present.
>
> well we should make sure that all our authoritative nameservers are NOT
> providing recursion to the world - so we need to find a way to restrict
> recursion to some limited hosts/ranges.

You can do this via views. We do it at CMD.

Sincerely,

Joshua D. Drake

>
>
> Stefan
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

> > Name: borg.postgresql.org
> > Address: 65.19.161.2
> >
> > Name: wwwmaster.postgresql.org
> > Address: 65.19.161.25
>
> maybe it would be better to add local resolvers in the networks of the
> ISPs hosting those servers - those are "nearer" to the boxes and seems
> like a natural solution (just like we did for tribble/romulus)

Yeah have each server have a caching nameserver.

Joshua D. Drake

>
>
> Stefan
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster
>
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

On Mon, Dec 11, 2006 at 07:53:02AM -0800, Joshua D. Drake wrote:
> > well we should make sure that all our authoritative nameservers are NOT
> > providing recursion to the world - so we need to find a way to restrict
> > recursion to some limited hosts/ranges.
>
> You can do this via views. We do it at CMD.

You don't need views for that. You can just use the config options
in BIND to restrict where recursion works (which is what Marc did,
AFAIK). That's what that setting is for. Future BIND versions will
probably ship with recursion turned off, BTW.

A

--
Andrew Sullivan | ajs(at)crankycanuck(dot)ca
The whole tendency of modern prose is away from concreteness.
--George Orwell

for borg and related, you can use 216.218.206.51/216.218.206.34 for
resolution if needed, on the same local net.

On 12/11/06, Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> wrote:
> Dave Page wrote:
> > Marc G. Fournier wrote:
> >> 'k, unless I've missed somethign here, I've just checked all 4 name
> >> servers, and they all have:
> >>
> >> options {
> >> allow-recursion {huborg;};
> >> };
> >>
> >> acl huborg {
> >> 200.46.204.0/24;
> >> 200.46.208.0/24;
> >> 206.223.169.0/24;
> >> };
> >>
> >> Something else I need to add?
> >
> > Per our conversation on IM earlier,
> >
> > Name: svr4.postgresql.org
> > Address: 66.98.251.159
> >
> > Name: svr2.postgresql.org
> > Address: 65.19.161.90
> >
> > Name: borg.postgresql.org
> > Address: 65.19.161.2
> >
> > Name: wwwmaster.postgresql.org
> > Address: 65.19.161.25
>
> maybe it would be better to add local resolvers in the networks of the
> ISPs hosting those servers - those are "nearer" to the boxes and seems
> like a natural solution (just like we did for tribble/romulus)
>
>
> Stefan
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster
>

Gavin M. Roy wrote:
> for borg and related, you can use 216.218.206.51/216.218.206.34 for
> resolution if needed, on the same local net.

Thanks, - updated.

Regards, Dave