Hi NZNOG Community,
I hope you are all looking forward to APRICOT 2014 which will start next
week. The Workshops are from Tuesday, 18 to Saturday, 22 February 2014
and the Conference is from Monday, 24 to Friday, 28 February 2014.
If you are unable to attend in person, you can still join the conference
remotely. Some of the conference sessions will be broadcasted live.
Please refer to the program for more information.
Please note: Registration is now *mandatory* to watch the live webcast
and participate remotely. Registration is free and you can register now
to receive your login details
I hope to see you all in person or online at APRICOT 2014.
Straight after the conference, I enabled validation on a resolver that handles in excess of 2 million queries/day.
So far I have no negative impact to report either :)
I support Andy & Dean's comments. Just turn it on already!
Wearer of Many Hats
On 11/02/2014, at 12:20 PM, Dean Pemberton <nznog(a)deanpemberton.com> wrote:
> Dave Mill (Inspire) stood up at NZNOG and clearly said that for them
> that never happened.
> Just turn it on.
> On Tue, Feb 11, 2014 at 11:51 AM, Nathan Ward <nznog(a)daork.net> wrote:
>> I've been talking about this with one of my customers recently, and there's
>> a concern by some that turning on validation will trip false positives -
>> which for an ISP is a bad thing to do - all the customer sees is that you
>> 'don't work' while the other ISP does.
>> Is there public data available re. this? Does it likely vary much for NZ?
>> Nathan Ward
I am developing InternetNZ's submission to the Justice and Electoral
Committee on the Harmful Digital Communications Bill. I'd like to ask this
list for some feedback on one issue in the Bill, in particular.
Clause 15 of the Bill reads:
(1)A District Court or the High Court, as the case may be, may appoint a
technical adviser to assist it in considering and determining an
application for an order under section 17 or any appeal under section 72
of the District Courts Act 1947.
(2)The duties of a technical adviser are--
(a)to sit with the court; and
(b)subject to subsection (3), to act in all respects as an extra
member of the court.
(3)The court must appoint a technical adviser if the court is
considering an application for an order under section 17(2)(a) or (b) or
(4)The Judge may give any weight to the technical adviser's advice that
the Judge thinks fit, and the Judge alone must determine the application or
(5)The Minister must maintain a panel of persons who may be appointed
under this section as technical advisers, and only persons named on the
panel may be appointed under this section as technical advisers.
(6)The chief executive must pay technical advisers the remuneration and
allowances determined from time to time by the Minister.
For reference, the remedies referred to in cl 15(3) are: takedown of
content/disabling access thereto; identification of an anonymous author;
and, somewhat strangely, making an order against parties not before the
*What I am after in the first instance relates to the advice of the
technical advisor. *
*If the advisor were to issue a report of some sort to the judge,
explaining the impact - economic, administrative, technical - of a takedown
order on the intermediary, what do you think that advice should cover? *
How can this advice, if it were published, serve as evidence for
policymakers in the future, helping them avoid making remedies (takedown
orders, etc) that are a burden to intermediaries or have a negative
FWIW, I think that 17(2)(c) and (d) orders - publishing corrections and
providing rights of reply - should also be considered in technical advice.
There are of course, many different flavours of intermediaries. The OECD
has categorised intermediaries in the following way:
1. ISPs (carriers)
2. hosting providers
3. search engines
4. e-commerce intermediaries
5. Internet payment systems, and
6. participative web platforms
For the purposes of the Bill, we can consider intermediaries in two broad
categories - content hosts and IPAPs (functionally - the IPAP language is
not in the Bill, but I believe that IPAPs (meaning carriers in their
IP-matching function) could be read into the current definition of "online
content host" in the interpretation section).
Thanks to those interested for your time and consideration, and please pose
questions if you have them. I'd be grateful for your feedback by COB Friday.
Senior Policy Advisor
We have an office in the US (Los Angeles) and I'm having issues with our
current internet provider and are looking to change.
Does anyone from NZNOG have any references/recommendations they could give
me for a supplier in LA that can provide decent IP & SIP trunk services?
Replies off-list much appreciated :)
This is a reach out for anyone else using Cisco881g / Cisco887vag routers
with 3G backup.
We have just started getting the new routers into stock that use the new
cellular modems. Our normal connection scripts don't work any more and we
have been unable to find the required connection details for either
vodafone or telecom connections.
I am hoping in exchange for BEER, someone out there has worked it out.
(We have a pending case with TAC but I hope this will be faster).
Currently we are using:
*chat-script gsm "" "ATDT*99#" TIMEOUT 30 CONNECT!controller Cellular
0!interface Cellular0 ip address negotiated ip nat outside ip
virtual-reassembly in ip virtual-reassembly out encapsulation slip dialer
in-band dialer string gsm dialer-group 1 async mode interactive!interface
Vlan1 ip address 10.0.0.1 255.255.255.0 ip nat inside ip
virtual-reassembly!ip nat inside source list 1 interface Cellular0
overloadip route 0.0.0.0 0.0.0.0 Cellular0!access-list 1 permit
anydialer-list 1 protocol ip permit!line 3 exec-timeout 0 0 script dialer
gsm modem InOut no exec transport preferred none transport output none*
The issue is that the dial script always times out. Hopefully this is all
recognizable to someone who has gone though the same pain as we are.
Thanks in advance.
I am currently seeking any NZ providers whom would meet the following requirements,
Being able to rent dedicated servers at reasonable market pricing,
Being able to provide us with a /24 IPv4
Being able to set up a Vyatta VM to act as our router via a direct BGP session to said provider
If you can meet these requirements, I am eger to meet you :D
Please respond off-list if you can meet this requirement
Network Administrator / Network Operations Manager
"No trees were harmed in the making of this email, however a large number of electrons were terribly inconvenienced."
At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk
on DNSSEC and had some interesting statistics about the use of validating
resolvers for DNS and DNSSEC.
For DNSSEC to work there are two parts of the equation that need to happen:
1) People need to sign their zones
2) People need to ask the question "is this zone signed" etc.
I want to talk about 2)
Geoff noted that a number of countries that we might not expect to be high
on the list of those validating the responses using the DNSSEC technology
were way ahead of the rest of the world. I haven't got the exact numbers
here - I expect his presentation will appear shortly and there's likely to
be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from
memory the global average is about 7% usage of validating resolvers.
New Zealand is a dismal <2% and I'd like to challenge you all to do
something about that. And we're way behind the Australians....
Geoff pointed out that the high rate elsewhere is due to a large degree to
the number of people using Google's Public DNS servers and while that looks
attractive and an easy way to improve those numbers I'd ask you not to go
down that path. You need to do this yourself (or at least as close as
possible to the end user). If you use someone else's resolver then your
traffic can be intercepted en route to the validating resolver => man in
the middle attack => game over.
And of course, handing this data over to a centralised collection agent
makes the work of anyone who wants to snoop on you much, much easier.
It's not about Google's servers - this applies equally to public servers
run by anyone. DNSSEC validation is not real validation unless it's
performed end to end or at least as close as possible to that. A number of
NZ ISPs provide this service to their customers with their in house
resolvers and those of you who don't should really be looking at when you
will do this.
Those people who have signed their zones are making assertions about how
they want their DNS data to be interpreted. They're saying that unless you
validate their DNS data they really don't want you to connect to them. You
should be taking notice of this. But then maybe you just ignore broken
certs on websites etc.
So what should you do?
Check here - http://dnssec.vs.uni-due.de/
Or use - https://www.dnssec-validator.cz/
Ask your ISP/admins to fix this.
If you're running a resolver for customers do the work to get it
Plenty of info out there on how to do this for Bind and Unbound and I'm no
Windows expert but this looks straightforward:
Before I get spammed to death about the videos....
We got back to base on Wednesday night, late.
We got the tapes on friday and have been processing over the week
end. Its pretty well all edited.
One node ran out of disk last night and so is repeating today.
Uploading is a slow process as the addition of HD footage added at
least 200% more data. Thats why I asked if HD was of interest. (Its
distribution grade HD rather than the higher bit-rate contribution HD)
As we do the upload, we're also doing an idiot check on files, web
pages etc, so there may be some reruns. But I expect that we should
have it all available by the end of this week. We have another job
starting tomorrow, which also consumes our evenings, so theres a bit
of a time squeeze going on.
I'll update the list when the files are available.
At 11:35 a.m. 11/02/2014, Andy Linton wrote:
>At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave
>a talk on DNSSEC and had some interesting statistics about the use
>of validating resolvers for DNS and DNSSEC.
>and there's likely to be a video of it at some stage at
><http://www.r2.co.nz/20140130/>http://www.r2.co.nz/20140130/ - but
>from memory the global average is about 7% usage of validating resolvers.
The video is available at http://www.r2.co.nz/20140130/geoff-h.htm
The others are rendering and uploading.
The recording is large and currently filling the CDN cache, so if it
doesn't play well - wait - its a large file.
As an option there is an HD version. Its a large file also (>1GB) so
takes even longer to load and requires a decent CPU to play back.
Dual-core or better.
Feedback on the value of HD footage would be interesting. Its slowing
down the render and upload process, so if its not of much value, we
can speed things up.
The other videos should be available in a day or so.