Slashdot Mirror

These aren't:
ISC Mirror

http://mozilla.isc.org/pub/mozilla.org/firefox/releases/3.0/

The linux release is dated 6-11. Win release is 6-17.

But they don't appear to be deploying it on their own servers.

I've just checked -- and the ISC do sign their zone. Sorry for the mis-information.

DNSSEC has gone through three (3) mutually incompatible specifications. The DNSSEC people are claiming that the last revision really really works, honest, gov, and that all that remains to be done is deploying it.

But they don't appear to be deploying it on their own servers.

If you run BIND with 100K zones, it takes quite some time to come up and starts answering queries. If you do a reload, it has a dead time in between. Try it..

As secondary it has bugs (for more than 12 months now) that may crash it. I just had customer who paid a lot of money to get it fixed by an external company. Of course the fix was sent to the BIND maintainers.

[BIND] has a performance problem as a caching nameserver and a severe one.

I suggest this new technology for you: LYNX. If that's still too media-rich, you can lead the revolution in bringing us all back to Gopher.

I'm actually not sure if you can still get 3rd and 4th-level delegations. I'm assuming you can for "official" gov, school (k12), library (lib), etc. business. I know you cannot get personal/business ones like the one that I have, those are no longer available, you just have to pay and get one right off of .US.

I too dislike NSI, but .ORG isn't under their control anymore, but under the ISC's PIR, which I very much like. I have some .NETs from way back, but at least I have them over at GKG.NET. One thing I like about GKG.net is their free email address cloaking.

Lynx.

Which is why I run BIND myself.

So that brings me back to the question: Why the hell doesn't bind have an option to use the system PRNG? Not all systems have a good random number generator, but I trust ours far more then the junk coded into bind. For that matter, I don't really mind if bind ate another 128K of memory to secure its own sequence space, if that is what it takes.

To your question, why doesn't BIND9 have a build option to use the underlying OS PRNG (in /dev or libc or whatever), it's partly because this problem isn't solveable without DNSSEC so a better PRNG for 16-bit query-ID's is bad engineering economics, and partly because BIND9's PRNG is "good enough" for a 16-bit field and we (ISC) don't want the risk that some BIND builds will pull in really terrible OS PRNG's. Our BIND9 PRNG isn't cryptostrength... but spending more time on it won't make DNS more secure, only DNSSEC can do that. If DragonflyBSD wants to help secure the DNS, then make DNSSEC the default on all your systems, sign your own zones, and encourage your users to sign their zones. If your parent zone (.ORG, .COM, etc) won't take your DNSSEC keys, put them in DLV. DNSSEC is stuck in IPv6-like chicken-or-egg mode, and only dedicated coherent action from the F/L/OSS community has ever been able to unstick stuff like this.

But debates around the quality of a PRNG used to generate 16-bit integers are unproductive time thieves. We used to use the C "++" operator to select the next query ID, and in some ways I wish we had kept that practice rather than adding any kind of PRNG at all since it only gave the illusion of security without making query-ID guessing attacks impossible or even impractical.

Paul Vixie

Hey now. I used to collect ne2000 nic cards from thrift store computers to get networking running on 486s with RedHat 5 through 6.2.

I guess if
http://www.google.com/search?q=caunter%20linux
and
http://www.google.com/search?q=caunter%20microsoft
aren't instructive, maybe
http://lynx.isc.org/current/lynx2-8-7/docs/README.sslcerts and http://www.google.com/search?q=nsupdate will. My little nsupdate howto gets a lot of love for some reason. I use, support, contribute to, and advocate for open source. I'm good at writing, so that's where I contribute. I also am not an operating system bigot. I use what is best for a given job. Sometimes that's linux, sometimes that's BSD, and yeah, sometimes, on an HP laptop, that's Vista. I don't have anything to prove to anyone, but I mean, I've got some credibility. Anyway, I don't mind giving MS credit for a nice OS that seems to get beat up on for reasons that I can't understand.
/bye
http://caunter.ca/contact.html

The judge understood it wrong. Executing a zone transfer is a common diagnostic tool (in this case, used to track down a spammer). The RFCs do NOT restrict this to the owner of the zone, and RFC 1296 specifically addresses this issue.

Anyway - the era of Netscape is over.

Conveniently killed by Microsoft and reborn into Mozilla/Firefox.

Today the alternatives to IE; Firefox, Opera and Safari are the most well-known and supported by web developers. Yet another alternative is the Lynx browser for those with pure text terminals. (you may think it's masochistic trying to use a text-only browser in today's web but sometimes it's helpful or the only resort left.)

Safari for Windows is still beta (and has had some bugs, I haven't checked the latest yet but 3.0.3 did crash on me). However it is still useful to verify your web page with and compared to the crashes we had with older browsers it's actually OK.

And still - there have been an era where Mosaic was a revolutionary new interface, but even that wasn't the first as you can see at Web Browser History.

A relatively up to date graph can be seen at Wikipedia, but your browser should support SVG to make the most of the graph. Unfortunately it only shows the most common browsers and oddballs like tkWWW are left out.

I first used Netscape back in '94 or '95 (it was a long time ago) on Solaris. Prior to that, I'd been using NCSA Mosiac.

lynx FTW! Fortunately, *that* hasn't gone away. (It is a great "covert at work" browser.)

Oh, nevermind

Flamebait subject, but I kind of mean it.

I was in the pool for a while but quit because ntpd is wholly incapable of protecting itself. I ended up with about 50 abusers that polled for time once a second. I tried using the built-in filtering but it doesn't work, so ntpd was gleefully replying to each and every one of those requests.

Keep in mind that it has the logic to detect abusers - it just won't do anything about it. Well, it can be made to send a KOD (Kiss Of Death) packed that should make clients blacklist the server, but those same broken clients ignore KODs. I kid you not, the standard recommendation is to firewall them off.

What? ntpd already knows its internal state, including a list of abusers. The code could be as simple as "def sendTimePacket(clientaddr): if clientaddr in blacklist then return; else sendpacket(clientaddr);", but they suppose that it's easier to write an external program to monitor that state, general firewall rules, connect to the firewall host, and insert them. No, really, that's not easier at all.

I like NTP and I liked the idea of helping serve it to the world, but until ISC decides to support at least basic anti-DOS functionality in ntpd, I won't be joining the pool again. And by "support", I mean at least lend moral support to people who would be willing to the work, instead of just telling them to alter their firewall.

Flamebait subject, but I kind of mean it.

I was in the pool for a while but quit because ntpd is wholly incapable of protecting itself. I ended up with about 50 abusers that polled for time once a second. I tried using the built-in filtering but it doesn't work, so ntpd was gleefully replying to each and every one of those requests.

Keep in mind that it has the logic to detect abusers - it just won't do anything about it. Well, it can be made to send a KOD (Kiss Of Death) packed that should make clients blacklist the server, but those same broken clients ignore KODs. I kid you not, the standard recommendation is to firewall them off.

What? ntpd already knows its internal state, including a list of abusers. The code could be as simple as "def sendTimePacket(clientaddr): if clientaddr in blacklist then return; else sendpacket(clientaddr);", but they suppose that it's easier to write an external program to monitor that state, general firewall rules, connect to the firewall host, and insert them. No, really, that's not easier at all.

I like NTP and I liked the idea of helping serve it to the world, but until ISC decides to support at least basic anti-DOS functionality in ntpd, I won't be joining the pool again. And by "support", I mean at least lend moral support to people who would be willing to the work, instead of just telling them to alter their firewall.

> They would have been perfectly justified in just saying "then Vista's DHCP client is broken and MS should fix it".

Vista's DHCP client isn't broken; the ISP is using an old, broken version of the ISC dhcp server.

That's why that ISP is the ONLY internet service provider in the world having a problem with Vista -- they're too incompetent to upgrade to the latest version of ISC dhcp.

Here is the bug-fix report for the ISC dhcp server from ISC's own website at http://www.isc.org/index.pl?/sw/dhcp/dhcp-v2.php :

"Fix a long-standing bug that prevented the DHCP server from broadcasting responses to BOOTP clients that requested a broadcast response."

> ... the fact that the ISPs DHCP servers do not accept broadcast bits, even though strictly speaking in error, is sufficiently less severe that it is realistic to expect MS to fix their shit, not the ISP.

LOL! Expecting Microsoft to program around old, buggy Linux code!

The reason that only ONE internet service provider in the world is having this problem with Vista is that the ISP is too incompetent to upgrade to the latest version of ISC dhcp, which fixed the bug. From ISC's own bug-fix reports at http://www.isc.org/index.pl?/sw/dhcp/dhcp-v2.php :

"Fix a long-standing bug that prevented the DHCP server from broadcasting responses to BOOTP clients that requested a broadcast response."

> M$ delivered a broken configurations and the ISP has to fix this.

False.

Microsoft's configuration is completely correct.

The ISP is simply incompetent. That's why they're the only ISP in the world that has this problem with Windows Vista.

The ISP is running an old, buggy version of ISC dhcp. The ISP needs to update to the latest version, which fixes the bug. Here's the bug-fix report from ISC's own website http://www.isc.org/index.pl?/sw/dhcp/dhcp-v2.php :

"Fix a long-standing bug that prevented the DHCP server from broadcasting responses to BOOTP clients that requested a broadcast response."

MS is properly implementing a known, albeit outdated, DHCP option. The DHCP server is failing to respond rather than either implement/ignore the valid option. Incidentally, this issue is fixed in ISC http://www.isc.org/index.pl?/sw/dhcp/dhcp-v2.php, so it's also possible that ISP is ignoring an update that will fix the problem. Also, MS has stated which registry key to change to disable the offending broadcast flag option http://support.microsoft.com/kb/928233, so it's not correct to say that MS has not responded. Given that they are RFC compliant, they didn't need to do anything.

Haven't used the program for four years, if not more. I bet it's still at the same version I used back then

According to ISC vulnerability matrix, you are affected.

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id =6402758

http://www.uwsg.iu.edu/hypermail/linux/net/0205.3/ 0002.html

http://lists.ntp.isc.org/pipermail/questions/2007- April/013854.html

etc...

The problem often is in the OS itself, but sometimes the applications and drivers are the problem. So why is this news? Well, judge by yourself.

Ahhh, maybe not. It would be better to say the "root servers" are made up of quite a number of servers implementing some level of high availability which usually requires more than one server.

For example, the F root server, operated by Mr Vixie's ISC, is 40 distributed servers around the world accessed by a Hierarchical Anycast technique

John

The top 10 was in 2000 www.sans.org and covered BIND 8.

BIND 9 has a lot better record. BIND 9 was designed to die when a programing error was found rather than continuing to execute in a known bad state. Despite thousands of assertion checks there have only been a small number of externally triggerable DoS events against BIND 9 www.isc.org.

The security is also relatively coarse: the tools don't allow a particular security key to apply to a particular name -- the key applies to a whole zone.

BIND9 addresses this with update-policy which can map an individual TSIG key to a specific name (or subdomain or wildcard). You can say that "key 'laptop23.example.com.' can update an A record with the same name".

I won't disagree about the dynamic zone file ugliness. I usually put dynamic hosts in their own subdomain so that my main zone file can remain nicely human-friendly. For example, we'd use ".mobile.example.com" and put it in its own zone file. The file for ".example.com" will still be nice, and if every record in ".mobile.example.com" is dynamic, who cares if it's a machine-generated mess?

I thought it was because it was a pointless and unneeded reformulation of existing standards with no BC?

You're welcome to that opinion, but I think the fact that it's a work-in-progress is the relevant factor to consider when wondering why people aren't using it. Even the W3C themselves don't want anybody to use it yet. In their own words, from the top of the latest specification: "It should in no way be considered stable, and should not be normatively referenced for any purposes whatsoever."

Lynx will never support application/xhtml+xml

Lynx already supports application/xhtml+xml. According to the changelog, support was added almost three years ago.

As long as DNS root servers are unsigned, how can the regular DNS servers start to implement that? Sweden and Puerto Rico???

In the ideal world, to verify that a DNS answer is correct, you start the chain of trust at the root, then follow to a top-level domain (TLD), and continue on down the tree until you get to your final answer.

If at any point a zone does not have a DS record pointing to it, then the chain of trust is broken, and the ultimate answer will be unsecured. But this follows the usual DNS hierarchy... if your parent provides DNSSEC, then you have the option to secure your zone.

But since the root is not signed, you cannot start the chain of trust at the root. A resolver needs to have the public key configured for each of the zones that it knows are secured... these zones are called "trust anchors".

The problem with this is that there are hundreds of zones in the root. Finding the public key for each zone is a very heavy administrative task, as is getting new keys when the old ones expire. Going further down in the tree makes things even worse.

One proposed solution, designed as a temporary measure until the root is signed, is DLV. With DLV, you use normal DNSSEC, but if you don't find a trust anchor anywhere in the tree, then you look at another special tree.

So, say you were looking for "www.mydomain.example.com", and there was no trust anchor. You would then look in a DLV server for "www.mydomain.example.com", then "mydomain.example.com", then "example.com", and finally ".com". If at any point a DLV entry was found, you would follow that chain of trust.

What DLV does is basically create a "second root" just for securing DNS. It's not a good solution, but it is better than nothing. The main goal is to allow people to use DNSSEC easily while waiting for ICANN to sign the root.

<full_disclosure>
The DLV solution is being pushed by my company, ISC. We run a DLV registry, which is free for all to both publish data in and query.
</full_disclosure>

As long as DNS root servers are unsigned, how can the regular DNS servers start to implement that? Sweden and Puerto Rico???

In the ideal world, to verify that a DNS answer is correct, you start the chain of trust at the root, then follow to a top-level domain (TLD), and continue on down the tree until you get to your final answer.

If at any point a zone does not have a DS record pointing to it, then the chain of trust is broken, and the ultimate answer will be unsecured. But this follows the usual DNS hierarchy... if your parent provides DNSSEC, then you have the option to secure your zone.

But since the root is not signed, you cannot start the chain of trust at the root. A resolver needs to have the public key configured for each of the zones that it knows are secured... these zones are called "trust anchors".

The problem with this is that there are hundreds of zones in the root. Finding the public key for each zone is a very heavy administrative task, as is getting new keys when the old ones expire. Going further down in the tree makes things even worse.

One proposed solution, designed as a temporary measure until the root is signed, is DLV. With DLV, you use normal DNSSEC, but if you don't find a trust anchor anywhere in the tree, then you look at another special tree.

So, say you were looking for "www.mydomain.example.com", and there was no trust anchor. You would then look in a DLV server for "www.mydomain.example.com", then "mydomain.example.com", then "example.com", and finally ".com". If at any point a DLV entry was found, you would follow that chain of trust.

What DLV does is basically create a "second root" just for securing DNS. It's not a good solution, but it is better than nothing. The main goal is to allow people to use DNSSEC easily while waiting for ICANN to sign the root.

<full_disclosure>
The DLV solution is being pushed by my company, ISC. We run a DLV registry, which is free for all to both publish data in and query.
</full_disclosure>

I have used this one in the past:

http://www.fdisk.com/doslynx/wlynx/lynx_w32.2.8.2r el.1.zip
from this page:
http://www.fdisk.com/doslynx/lynxport.htm

No Cygwin libraries required. It worked fine for me, though it has not been updated in some time. I doubt you need to worry much about vulnerabilities in a text browser, especially if you only use it to examine your own pages. If you simply intend to scrape text from other people's web pages using a windows box, might I recommend using the QueryTables.Add method in an Excel macro, which has worked fine for scraping sites for me in the past and allows for relatively easy manipulation of the results.

Alternative Lynx windows binaries are posted here. The current release will compile with Borland C or Visual C++ 6 (with some tweaks), though I imagine it would take some major edits to get it to compile properly with the newer Visual C++ compilers.

Though for the command line usage you desire, Netcat would probably get the job done with a little fiddling. The official page is here, though the latest source release is no newer than Vulnwatch's WinNT binary.

Another alternative is simply to turn off images, javascript, java and css in Firefox, though I don't think there is any command line option for non interactive operation, but scripting acquisition of text from it wouldn't be that hard to do.

But being a GnuWin32 guy then a scripted combination of Wget and Sed or Gawk might be the best solution for you.

You could also just write a PHP or Perl script to do the job just fine, which might be the most sensible approach.

Anyway, the version of Lynx I mentioned above worked fine for me and did not result in any attacks, though I have only visited totally legit sites with it.

I have used this one in the past:

http://www.fdisk.com/doslynx/wlynx/lynx_w32.2.8.2r el.1.zip
from this page:
http://www.fdisk.com/doslynx/lynxport.htm

No Cygwin libraries required. It worked fine for me, though it has not been updated in some time. I doubt you need to worry much about vulnerabilities in a text browser, especially if you only use it to examine your own pages. If you simply intend to scrape text from other people's web pages using a windows box, might I recommend using the QueryTables.Add method in an Excel macro, which has worked fine for scraping sites for me in the past and allows for relatively easy manipulation of the results.

Alternative Lynx windows binaries are posted here. The current release will compile with Borland C or Visual C++ 6 (with some tweaks), though I imagine it would take some major edits to get it to compile properly with the newer Visual C++ compilers.

Though for the command line usage you desire, Netcat would probably get the job done with a little fiddling. The official page is here, though the latest source release is no newer than Vulnwatch's WinNT binary.

Another alternative is simply to turn off images, javascript, java and css in Firefox, though I don't think there is any command line option for non interactive operation, but scripting acquisition of text from it wouldn't be that hard to do.

But being a GnuWin32 guy then a scripted combination of Wget and Sed or Gawk might be the best solution for you.

You could also just write a PHP or Perl script to do the job just fine, which might be the most sensible approach.

Anyway, the version of Lynx I mentioned above worked fine for me and did not result in any attacks, though I have only visited totally legit sites with it.

You obviously are lying. No self respecting slashdotter would use IE. Use a real browser.

zone "COM" {type delegation-only; };
zone "NET" {type delegation-only; };

Paul Mockapetris, chief scientist at Nominum Inc. and founder of the DNS system, recently suggested that DNS operators keep a current copy of root zones in order to isolate themselves from future root-server attacks. Sexton points out that if local root zones were a common practice, DNS operators would seldom notice any root-server outages. An obstacle to this approach is the perception that it requires considerable technical expertise. Furthermore, the localized DNS automatically updates Root Zone data. This configuration allows the casual user to have up-to-date personal mirrors of root-server data without an intimidating hurdle of configuration. Such an approach could also be adapted for ISP or corporate DNS servers. The root-slave approach allows DNS operators to avoid the risk of future root-server attacks and, if implemented on a wide scale by individuals using a localized DNS or other DNS operators, it could reduce the motivation for future root-server attacks.

You can see the list of sites for F here:

http://www.isc.org/index.pl?/ops/f-root/sites.php

That's about 40 locations. Now, each of which has a couple of servers, a management box, and a couple of routers, so yeah something like 200 machines total.

• mOnOwall - firewalling
• IPCop - firewalling
• Metadot - CMS
• Apache - web server
• Bind - Name Server
• asterisk - telephony/voip
• Sendmail - cussed but stable MTA
• SpamAssassin - spam filtering
• MIME-Defang - email content filtering/manipulation
• ClamAV - Virus filtering
• Freebsd - the best OS since sliced bread (IMHO)
• Centos - Not to shabby an OS either
• ...

• Minimo (MPL)
• Links (GPL)
• Lynx

In fact, as a general rule I find that pages pop up pretty damned fast for me; faster then IE7 for a lot of sites. I don't know where all this "it's slow" is coming from. Speed has never been a problem for me with FireFox.

Maybe ya'll are using Pentium II 333Mhz boxes or something. From where I stand, IE7 might load a page in 1.23 seconds, versus Firefox in 1.26. Or the other way around.

As for the extra features, I like the spell check a lot, it's not bloat and it just works. The minimalist crowd is always very loud when it comes to bare-bones. Weighing in at less then 6MB for download, Firefox is still one of the more lightweight applications out there. If you want really bare-bones, I'd suggest looking here: http://lynx.isc.org/.

I haven't tried it, but you could probably set up a top level wild card domain, and force responses in it to be NXDOMAIN.

BIND v9 has a great Administrators Reference (bv9arm.pdf I think) that you should download and study if you want to do something like this. http://www.isc.org/sw/bind/arm93/Bv9ARM.pdf

Though you're probably better off looking into something like SQUID or some other internet proxy to do this internet access limitation... it will be more flexible.

Just don't do it using MSIE.

Simple, eh?

Of the 4 browsers I have here, all are safer in JavaScript than MSIE (FireFox, SeaMonkey, Opera, Konqueror). Three of those are easily available for 'doze & even Konqueror can be made to work in it.

Er... sorry, I also have lynx, links & w3m available, plus Galeon and a few other GNOMEish built-ins kicking around. Spoilt for choice!

I think you're better off erring on the side of explicitly listing domains that should be delegation-only - I'm sure de and museum aren't the only exceptions, but currently Cameroon are the only ones with an evil wildcard record that I know of.

zone "cm" { type delegation-only; }

http://www.isc.org/index.pl?/sw/bind/delegation-on ly.php

Thanks to SiteFinder, the fixes for this have already been developed. For example, BIND 9 allows the administrator to declare certain zones as being delegation only.

It should be "One Token Ring to Rule them All, One Search Engine to Find Them, One WAN to bring them in, and DNS to BIND them..." ;-)

There is also an OpenNTPD implementation, from the OpenBSD project. While early versions were considered harmful by the NTP community, I believe it is now accepted.

For Windows clients, I use Tardis.

fwiw, Tardis doesn't really do the full up NTP bag of tricks. If your'e really serious about timekeeping on Windows, get the Windows port of the standard NTP distribution. See: http://ntp.isc.org/bin/view/Main/ExternalTimeRelat edLinks The real NTP does a better job of disciplining the clock than Tardis and its free to boot. We use the one by Terje Mathisen which is a straight port of the *ix versions, text config files and all. The Meinberg version IIRC has a GUI.

We use NTP on Windows, Linux, Solaris, etc. Our choice is the standard NTP client (see http://ntp.isc.org/bin/view/Main/ExternalTimeRelat edLinks#Microsoft_Windows), but it sounds like you already tried that.

What we do is to broadcast the time packets over the network then have the clients pick them up. So there's no "forced" synchronization with a central server. You might want to give that approach a try rather than having the clients poll the server frequently. We use this approach for the 1000+ machines in our building.

time.nist.gov is a Stratum 1 server, it is poor internettiquette to use it for trivial (end-user) reasons.

http://ntp.isc.org/bin/view/Servers/StratumOneTime Servers

"As the load on the hosts supporting NTP primary (stratum 1) time service is heavy and always increasing, clients should avoid using the primary servers whenever possible."

Just because NIST is being nice about it doesn't mean MS has to include it as a choice.

• Failure to obey the Stratum structure of the NTP system
• Failure to follow the permisions structure of the NTP system
• Failure to properly impliment the NTP connection protocol