Thread: On DNS for postgresql.org
Hi,
Now that the DNS is back (thanks!), I thought I'd ask why the ra bit
is set on the responses. Are those servers providing recursion to
the whole Net? (They seem to be.) If so, that's a Bad Thing.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
If they don't do anything, we don't need their acronym.
--Josh Hamilton, on the US FEMA
On Sep 6, 2006, at 9:50 AM, Andrew Sullivan wrote: > Hi, > > Now that the DNS is back (thanks!), I thought I'd ask why the ra bit > is set on the responses. Are those servers providing recursion to > the whole Net? (They seem to be.) If so, that's a Bad Thing. There's not anything like universal agreement on whether that's a bad thing, or not. Also the servers are volunteer provided, so it's not really anyones business other than the server owners. Cheers, Steve
Andrew Sullivan wrote: > Hi, > > Now that the DNS is back (thanks!), I thought I'd ask why the ra bit > is set on the responses. Are those servers providing recursion to > the whole Net? (They seem to be.) If so, that's a Bad Thing. > > A > Yes, they do seem to be and yes it probably is a Bad Thing: $ dig @ns3.hub.org www.mysql.com ; <<>> DiG 9.3.1 <<>> @ns3.hub.org www.mysql.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58427 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.mysql.com. IN A ;; ANSWER SECTION: www.mysql.com. 3600 IN A 213.115.162.29 www.mysql.com. 3600 IN A 213.115.162.82 www.mysql.com. 3600 IN A 213.136.52.29 www.mysql.com. 3600 IN A 213.136.52.82 ;; AUTHORITY SECTION: mysql.com. 3600 IN NS dns1.mysql.com. mysql.com. 3600 IN NS dns2.mysql.com. mysql.com. 3600 IN NS dns3.mysql.com. mysql.com. 3600 IN NS dns5.mysql.com. ;; Query time: 409 msec ;; SERVER: 200.46.204.254#53(200.46.204.254) ;; WHEN: Wed Sep 6 10:15:56 2006 ;; MSG SIZE rcvd: 171
On Wed, Sep 06, 2006 at 09:59:29AM -0700, Steve Atkins wrote: > > There's not anything like universal agreement on whether that's > a bad thing, or not. Uh, well, there sure is right now among TLD operators. Wide-open recursion is being used in a denial of service attack that causes orders-of-magnitude amplification traffic against the target servers. In fact, there are some who are blacklisting open recursive servers, and there's an effort afoot to get the news out: http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-reflectors-are-evil/ (Another draft is expected Real Soon Now, with a less-inflammatory filename.) > Also the servers are volunteer provided, so > it's not really anyones business other than the server owners. Given that the entire postgresql.org infrastructure just went off the air because of what sure looked to me like an error in administration, I submit that it _is_ others' business how the infrastructure is managed A -- Andrew Sullivan | ajs@crankycanuck.ca The plural of anecdote is not data. --Roger Brinner
steve@blighty.com (Steve Atkins) writes: > On Sep 6, 2006, at 9:50 AM, Andrew Sullivan wrote: >> Now that the DNS is back (thanks!), I thought I'd ask why the ra bit >> is set on the responses. Are those servers providing recursion to >> the whole Net? (They seem to be.) If so, that's a Bad Thing. > > There's not anything like universal agreement on whether that's a > bad thing, or not. I'll leave that to others... > Also the servers are volunteer provided, so it's not really anyones > business other than the server owners. If you are fine with people casting arbitrary aspersions against the users of PostgreSQL, then perhaps so. I wouldn't expect any self-respecting project that prides itself on reliability would be willing to live with this, though... -- let name="cbbrowne" and tld="acm.org" in name ^ "@" ^ tld;; http://www3.sympatico.ca/cbbrowne/linuxdistributions.html 'Typos in FINNEGANS WAKE? How could you tell?' -- Kim Stanley Robinson
>
>> Also the servers are volunteer provided, so
>> it's not really anyones business other than the server owners.
>
> Given that the entire postgresql.org infrastructure just went off the
> air because of what sure looked to me like an error in
> administration, I submit that it _is_ others' business how the
> infrastructure is managed
When you commit to providing services to this community, it is
absolutely the business of that community on how the infrastructure is
managed.
The people offering these services have a responsibility to insure that
their infrastructure is well managed. If people are not up to that
responsibility, there are plenty of providers willing to take it on.
Sincerely,
Joshua D. Drake
>
> A
>
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
On Sep 6, 2006, at 5:29 PM, Joshua D. Drake wrote: >>> Also the servers are volunteer provided, so >>> it's not really anyones business other than the server owners. >> Given that the entire postgresql.org infrastructure just went off the >> air because of what sure looked to me like an error in >> administration, I submit that it _is_ others' business how the >> infrastructure is managed > > When you commit to providing services to this community, it is > absolutely the business of that community on how the infrastructure > is managed. It is the business of the community that the services provided are adequate and stable, certainly. That's become rather obvious recently. Irrelevant details of the server configuration that do not directly affect those services aren't really something to gossip about on a public mailing list, though. The two are quite different things. > The people offering these services have a responsibility to insure > that their infrastructure is well managed. If people are not up to > that responsibility, there are plenty of providers willing to take > it on. Cheers, Steve
Steve Atkins wrote: > > On Sep 6, 2006, at 5:29 PM, Joshua D. Drake wrote: > >> When you commit to providing services to this community, it is >> absolutely the business of that community on how the infrastructure >> is managed. > > It is the business of the community that the services provided are > adequate and stable, certainly. That's become rather obvious recently. > > Irrelevant details of the server configuration that do not directly > affect those services aren't really something to gossip about on a > public mailing list, though. > > The two are quite different things. Andrew was apparently suggesting that the configuration issue he mentioned is not irrelevant, and may be the actual cause of the problems. Since he works for a domain registrar, I'm prepared to assume, at least as a working hypothesis, that he knows what he's talking about. At the least, I suggest it's wise to consider his opinion rather than tell him it's not his business. Tim -- ----------------------------------------------- Tim Allen tim@proximity.com.au Proximity Pty Ltd http://www.proximity.com.au/
On Sep 6, 2006, at 5:58 PM, Tim Allen wrote: > Steve Atkins wrote: >> On Sep 6, 2006, at 5:29 PM, Joshua D. Drake wrote: >>> When you commit to providing services to this community, it is >>> absolutely the business of that community on how the >>> infrastructure is managed. >> It is the business of the community that the services provided >> are adequate and stable, certainly. That's become rather obvious >> recently. >> Irrelevant details of the server configuration that do not >> directly affect those services aren't really something to gossip >> about on a public mailing list, though. >> The two are quite different things. > > Andrew was apparently suggesting that the configuration issue he > mentioned is not irrelevant, and may be the actual cause of the > problems. No, he wasn't. He was arguing that having a nameserver that allows resolution to the entire net is a bad thing because it allows abusers to wash DoS attacks through them. That's a perfectly reasonably opinion to have, but one that's very unlikely to be related to recent problems with the domain in question. > Since he works for a domain registrar, I'm prepared to assume, at > least as a working hypothesis, that he knows what he's talking > about. At the least, I suggest it's wise to consider his opinion > rather than tell him it's not his business. If we were playing DNS body part size wars then who has the bigger DNS clue might be relevant. We're not, though. Rather I'm saying that publicly criticizing people who volunteer services to a project, about things that are not related to the services they're providing is at best a little impolite. Cheers, Steve
>> Irrelevant details of the server configuration that do not directly
>> affect those services aren't really something to gossip about on a
>> public mailing list, though.
>>
>> The two are quite different things.
>
> Andrew was apparently suggesting that the configuration issue he
> mentioned is not irrelevant, and may be the actual cause of the
> problems. Since he works for a domain registrar, I'm prepared to assume,
> at least as a working hypothesis, that he knows what he's talking about.
> At the least, I suggest it's wise to consider his opinion rather than
> tell him it's not his business.
Well, I can vouch for Andrew and his knowledge (not that he needs me to).
Joshua D. Drake
>
> Tim
>
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
>>
>> When you commit to providing services to this community, it is
>> absolutely the business of that community on how the infrastructure is
>> managed.
>
> It is the business of the community that the services provided are
> adequate and stable, certainly. That's become rather obvious recently.
>
> Irrelevant details of the server configuration that do not directly
> affect those services aren't really something to gossip about on a
> public mailing list, though.
I can agree with that.
Sincerely,
Joshua D. Drake
>
> The two are quite different things.
>
>> The people offering these services have a responsibility to insure
>> that their infrastructure is well managed. If people are not up to
>> that responsibility, there are plenty of providers willing to take it on.
>
> Cheers,
> Steve
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
* Steve Atkins (steve@blighty.com) wrote:
> If we were playing DNS body part size wars then who has the bigger
> DNS clue might be relevant. We're not, though. Rather I'm saying that
> publicly criticizing people who volunteer services to a project,
> about things that are not related to the services they're providing
> is at best a little impolite.
They provide DNS. It's about the DNS service they provide being
potentially abusable to DoS and possibly blacklisted (thus causing
non-obvious outage to portions of the network). Therefore, it's
certainly regarding the services they're providing and how what they're
doing could affect usage of that service by the community.
Now, we're certainly very grateful for the services provided and for the
time spent by the hard working admins to keep everything going. This
wasn't an attack on them but rather an attempt to bring to their
attention an issue they may not have been aware of and may be quite
happy to look into. Unfortunately, your insistance that it's bad to be
public about a public service, even after being corrected multiple
times, has made it into an attack which you're trying to defend the
admins against without any call or request from them for you to.
Indeed, they may feel that bringing it up on a community list is the
appropriate and encouraged thing to do when it involves the servers or
service provided to the community.
Thanks,
Stephen
Attachment
> If we were playing DNS body part size wars then who has the bigger DNS > clue might be relevant. We're not, though. Rather I'm saying that > publicly criticizing people who volunteer services to a project, about > things that are not related to the services they're providing is at best > a little impolite. Well this is fun. I suggest that you review Andrew's comments again. Nothing he said was personal, they were direct criticisms of possible technical administration failures. We are not in the business of protecting egos for technical matters here. If Andrew has said something to the effect of, "WTF Marc, do you have a clue about what you are doing?" I would agree with your statement. Andrew did not do any such thing. He merely presented his rather well informed opinion on the matter of DNS and possible issues with the current configuration. Frankly, he is correct, open recursive servers are a bad idea. This isn't 2001, we need to be very careful with our resources. I see nothing wrong with that. Sincerely, Joshua D. Drake > Cheers, > Steve > > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org > -- === The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240 Providing the most comprehensive PostgreSQL solutions since 1997 http://www.commandprompt.com/
On Sep 6, 2006, at 6:41 PM, Joshua D. Drake wrote: > >>> Irrelevant details of the server configuration that do not >>> directly affect those services aren't really something to gossip >>> about on a public mailing list, though. >>> >>> The two are quite different things. >> Andrew was apparently suggesting that the configuration issue he >> mentioned is not irrelevant, and may be the actual cause of the >> problems. Since he works for a domain registrar, I'm prepared to >> assume, at least as a working hypothesis, that he knows what he's >> talking about. At the least, I suggest it's wise to consider his >> opinion rather than tell him it's not his business. > > Well, I can vouch for Andrew and his knowledge (not that he needs > me to). Enough. I didn't intend to insult anyone in this thread, merely thought that one original comment was a little rude. My apologies to anyone who's upset or been distracted. Lets go back to database-related stuff. Cheers, Steve
On Thu, 7 Sep 2006, Tim Allen wrote: > Andrew was apparently suggesting that the configuration issue he > mentioned is not irrelevant, and may be the actual cause of the > problems. Since he works for a domain registrar, I'm prepared to assume, > at least as a working hypothesis, that he knows what he's talking about. > At the least, I suggest it's wise to consider his opinion rather than > tell him it's not his business. Agreed, for which I email'd him offlist about the issue ... ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664
On Wed, 6 Sep 2006, Joshua D. Drake wrote: > >> If we were playing DNS body part size wars then who has the bigger DNS clue >> might be relevant. We're not, though. Rather I'm saying that publicly >> criticizing people who volunteer services to a project, about things that >> are not related to the services they're providing is at best a little >> impolite. > > Well this is fun. I suggest that you review Andrew's comments again. Nothing > he said was personal, they were direct criticisms of possible technical > administration failures. Agreed ... I know I didn't take his comments personally, and as soon as I read them, I email'd him offlist asking for pointers / elaboration, as it was the first I knew that I might have something 'bad' setup ... ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664
On Wed, Sep 06, 2006 at 06:23:06PM -0700, Steve Atkins wrote:
> DNS clue might be relevant. We're not, though. Rather I'm saying that
> publicly criticizing people who volunteer services to a project,
> about things that are not related to the services they're providing
> is at best a little impolite.
Actually, the real problem (as a couple people pointed out to me
privately, for which I am thankful) is that I did it on the wrong
list. But for the record: I wasn't trying to be critical; I was
trying to solve a problem. If I appeared to be attacking anyone, I
do apologise.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
"The year's penultimate month" is not in truth a good way of saying
November.
--H.W. Fowler