The prevalence, persistence, and perils of lame delegations (2021)
The Domain Name System (DNS) translates domain names to IP addresses. Lame delegations, causing delays and security risks, stem from unreachable nameservers and misconfigurations. Passive analysis detects issues, with 50% in .BIZ domain.
Read original articleThe Domain Name System (DNS) plays a crucial role in translating domain names to IP addresses on the Internet. Lame delegations, where a nameserver fails to provide authoritative information, can lead to performance and security issues. Lame delegations cause delays in resolving domains, increase network load, and pose security risks like domain hijacking. Reasons for lame delegations include unreachable nameservers, misconfigurations, and expired nameserver domains. Passive analysis of zone files can help identify lame delegations without active querying. A study revealed that nearly 50% of nameservers in the .BIZ domain were lame delegated due to registrar practices. Additionally, the persistence of lame delegations can lead to longer resolution times and potential security vulnerabilities. Active measurements showed that lame delegated domains take significantly longer to resolve compared to properly configured domains. The study emphasizes the prevalence and risks associated with lame delegations, highlighting the need for better DNS management practices to ensure Internet resilience and security.
Related
How to run an LLM on your PC, not in the cloud, in less than 10 minutes
You can easily set up and run large language models (LLMs) on your PC using tools like Ollama, LM Suite, and Llama.cpp. Ollama supports AMD GPUs and AVX2-compatible CPUs, with straightforward installation across different systems. It offers commands for managing models and now supports select AMD Radeon cards.
Postgres Schema Changes and Locking
Schema changes in Postgres can cause downtime by locking out reads and writes. Migration tools help mitigate issues. Breakages during migrations can affect client apps or lock database objects, leading to unavailability. Long queries with DDL statements can block operations. Setting lock_timeout on DDL statements can prevent queuing. Tools like pgroll offer backoff and retry strategies for lock acquisition failures. Understanding schema changes and DDL impact helps ensure smoother migrations and less downtime.
Timeliness without datagrams using QUIC
The debate between TCP and UDP for internet applications emphasizes reliability and timeliness. UDP suits real-time scenarios like video streaming, while QUIC with congestion control mechanisms ensures efficient media delivery.
Arbitrary shell command evaluation in Org Mode (GNU Emacs)
A vulnerability in Emacs Org mode allowed arbitrary shell command execution. A fix in Emacs 29.4 and Org 9.7.5 prevents unsafe code evaluation in link abbreviations, advising users to apply the patch.
Why content providers need IPv6
Content providers are urged to adopt IPv6 for better services, bypassing ISP translation devices. IPv6 improves user experience, reduces latency, and boosts reliability. Major companies like Google and Netflix are already benefiting from IPv6, pushing ISPs to support its adoption.
For instance let's just go down the "until they find a server that isn't lame" rabbit hole: let's look at a server which isn't actually authoritative for the domain it serves. Maybe they're all lame, sorry.
It could be a recursive, and it should be obvious that AA isn't present in the response. But in the real world, people with their own root are forced to lie in order to publish data in the public (root) namespace. This is baked into server configs as forwarding zones for those too lazy to recompile BIND to always return AA. Not that anybody checks, the DNS still works, so why bother? But the root (ha ha, pun!) of the problem is the obsession with One True Root which is staunchly defended by ICANN, kind of like the petrodollar.
Or it could be authoritative, but not for the zone which it is properly delegated. Take my ISP, please. They impersonate the people who delegate their /17 in reverse DNS; I assume it's because they're too lazy or incompetent to manage 128 /24s. Fun fact: sometimes recursives subsisting on this diet of excrement report that they ARE authoritative for the delegator's /16! The delegator doesn't care, they block email reports from their own /17 so no worries about anyone cleaning up after GG Allin finishes his show.
But the DNS authoritahs bring it on themselves: "Additionally, the queries to lame delegated nameservers represent additional load on the network, and at the incorrectly delegated nameserver. For example, incorrectly configured domains represent 12% of queries to GoDaddy nameservers: one out of eight queries received by a GoDaddy nameserver is a lame query, a query for which the GoDaddy nameserver is not authoritative." Cry me a river. Qname minimization can effectively double the number of (unprimed) queries required to resolve a name. Coincidentally, qname minimization issues requests which are intended to fail (hoping for SOA) and NS requests which are unnecessary under the archaic recursion algorithm which they vigorously defend by farting in a different direction. Needless to say, qname minimization doesn't work well with lame servers.
I could go on, but I won't.
Related
How to run an LLM on your PC, not in the cloud, in less than 10 minutes
You can easily set up and run large language models (LLMs) on your PC using tools like Ollama, LM Suite, and Llama.cpp. Ollama supports AMD GPUs and AVX2-compatible CPUs, with straightforward installation across different systems. It offers commands for managing models and now supports select AMD Radeon cards.
Postgres Schema Changes and Locking
Schema changes in Postgres can cause downtime by locking out reads and writes. Migration tools help mitigate issues. Breakages during migrations can affect client apps or lock database objects, leading to unavailability. Long queries with DDL statements can block operations. Setting lock_timeout on DDL statements can prevent queuing. Tools like pgroll offer backoff and retry strategies for lock acquisition failures. Understanding schema changes and DDL impact helps ensure smoother migrations and less downtime.
Timeliness without datagrams using QUIC
The debate between TCP and UDP for internet applications emphasizes reliability and timeliness. UDP suits real-time scenarios like video streaming, while QUIC with congestion control mechanisms ensures efficient media delivery.
Arbitrary shell command evaluation in Org Mode (GNU Emacs)
A vulnerability in Emacs Org mode allowed arbitrary shell command execution. A fix in Emacs 29.4 and Org 9.7.5 prevents unsafe code evaluation in link abbreviations, advising users to apply the patch.
Why content providers need IPv6
Content providers are urged to adopt IPv6 for better services, bypassing ISP translation devices. IPv6 improves user experience, reduces latency, and boosts reliability. Major companies like Google and Netflix are already benefiting from IPv6, pushing ISPs to support its adoption.