Based in Paris (France)
Articles
Likes on articles
I work at AFNIC (the registry of .fr domain names), in the R&D department, on, among other things, DNS, security, statistics.
Website: http://www.bortzmeyer.org/
• 8 min read
There have been several calls for Russian Internet networks to be shut down in one way or another and announcements that Russia is going to make such cuts. In this article, Stéphane Bortzmeyer explores the issue from a technical point of view.
• 22 min read
There are several ways to create RIPE Atlas measurements, thanks to its API. Here, we present Blaeu, a set of tools to create one-off measurements, mostly to debug temporary issues.
• 2 min read
On 17 October 2016, a website hosted by the French Ministry of the Interior went offline when a large number of customers of the Internet service provider, Orange, were redirected to the site. The problem occurred after Google, Wikipedia and cloud provider OVH were mistakenly placed on a terrorism …
• 15 min read
This article explains how I use RIPE Atlas probes, the official API and custom scripts to debug network issues.
• 23 min read
More and more governments, authorities and courts are requesting censorship of Internet content. It is often done via a lying DNS resolver. Can we use RIPE Atlas probes to see it, and how?
• 7 min read
If you monitor your external Internet connectivity, you may wonder which machine is the best to ping. Hesitate no more - you can use RIPE Atlas anchors as landmarks.
• 7 min read
The techniques used by the L-root DNS server are documented in RFC 7108 "A Summary of Various Mechanisms Deployed at L-Root for the Identification of Anycast Nodes". These techniques can be used by the RIPE Atlas probes to find the instance of L-root they are talking to.
• 6 min read
Each RIPE Atlas probe has at least one DNS resolver, indicated by a DHCP reply on the local network of the probe. Irrespective of the IP address of the resolver, this server may have IPv4 and IPv6 connectivity or only IPv4 connectivity. What is the percentage among RIPE Atlas probes?
"This was a precursor to DNS." whois, a precursor of the DNS??? "IDN TLD's (Internationalised Domain Names in Unicode) were defined much later on in RFC5890 in 2010." No, seven years before (RFC 3490) "Some TLDs even need a registrar to send an email to the TLD management organisation to create register a new domain. A human then has to manually edit the zone" There is nothing wrong with that, if that suits their constituency. The whole point of decentralisation (a strong feature of the DNS) is the ability to have different policies. "the amount of servers" It is an useful information, yes, but less important than the "strength" of the servers. bortzmeyer.fr has eight name servers but cannot be compared to .de (six servers) "It [ICANN] sadly can't enforce it on the legacy ones" See my point above about the freedom brought by decentralisation.
"the NixOS infrastructure relies heavily on GitHub" Why? NixOS needs to contact Github daily like ChromeOS needs to talk to Google? And if it is just to update packages, aren't they alternative sources?
“These are all good points. I especially like the idea of search suggestions. Another useful refinement would be to default search results newest first and oldest last. At the moment, documents and pages are mixed together and not ordered by date. This can make searching for the one document you want a real slog.”
As an example, searching "IP address" returns the RIPE NCC Activity Plan 2012 :-)
Many people visiting RIPE Web site have a RIPE Access account. Are there plans to use their search history to provide context, which helps a lot in Web search? (And also raises a lot of touchy privacy issues. IMHO, "anonymous" users, those not logged in RIPE Access must be excluded of this feature. But the privacy issue also holds for logged-in users.)
I'm not sure about the consequences. Does it mean that Afrinic could lose its accreditation?
I like the IP address 2610:a1:1072::1:42 since the name is an IDN. But, alas, no DNSSEC.
"They may also receive more spam and phishing e-mails, since modern e-mail security protocols rely on DNSSEC as well." I would like to see email servers use SPF, DKIM and DMARC records only if they have been validated with DNSSEC but I strongly doubt it is the case today.
Developping something new (no installed base) and mission-critical in C, today, is a bit strange. Why not using a safer language?
Nice and useful article. For OpenDNSSEC, the important parameter is named Jitter and is enabled by default. Check that you have something like "<Policy name="default">...<Signatures>... <Jitter>PT12H</Jitter>" It would be nice to document here how it is done for other signing programs.
Great survey, thanks for this work. Indeed, the variations in EDE are funny. For bogus.bortzmeyer.fr, Unbound (and 1.1.1.1) say "9 (DNSKEY Missing)", 9.9.9.9 say "10 (RRSIGs Missing)" and Knot-Resolver say "12 (NSEC Missing)"
Showing 56 comment(s)