Hi everyone,
Please can you recommend a domain registrar that won't treat me like poo and that won't force me to use their name servers so I can host my own DNS? Reasonable pricing and someone that doesn't throw up needless obstacles to leaving would be a plus.
Thanks,
Paul.
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Anyone been having difficulties using pear, curl, etc. to other domains
lately? I've started getting the following when trying to use PEAR:
# pear list-all
Connection to `pear.php.net:80' failed: Connection timed out
if I try to send a cURL request to the majority of domains I get the same
issue (though curl www.google.co.uk is fine)
Hi,
TL;DR
-----
DNSSEC validation will be enabled on BitFolk's resolvers on Monday
29th April.
The Plan
--------
After consultation¹, we've come up with a plan for enabling DNSSEC
validation on BitFolk's resolvers:
0. As of Wednesday 27th a test resolver has been available on
85.119.80.243, with validation enabled. You can either query
through it directly, e.g.:
dig -t a www.dnssec-failed.org @85.119.80.243
dig -t test.dnssec-or-not.net @85.119.80.243
or replace all IPs in your /etc/resolv.conf to send all your DNS
queries through it.
1. Sometime on Saturday 30th March (tomorrow) we'll enable Unbound's
"permissive mode" which performs validation and logs errors but
always passes answers back to clients anyway:
http://unbound.net/documentation/howto_turnoff_dnssec.html
Note that this can give the impression that DNSSEC is in use, but
it is strictly for testing and you are achieving no security
benefit while this setting is in effect.
2. Around Saturday 6th April we'll review the logs to see what sort
of impact real validation will have.
We will not be examining each and every failure and we will not
be providing per-customer details; it is your responsibility to
make use of the test resolver if you wish to test your own
queries.
3. Provided the results of stage 2 are not too shocking, validation
will be switched on sometime on Monday 29th April, deliberately a
working day so that those of you using your VPSes for business
purposes will hopefully be around to spot any issues in the
unlikely event of anything breaking.
Frequently Asked Questions
--------------------------
- What is DNSSEC?
DNSSEC is a means by which DNS domain owners can digitally sign
records in their zones, so that DNS resolvers can check that the
answers they are receiving have not been tampered with at any
stage.
Aside from routine mangling of DNS responses done by local
resolvers not under your control (think: the built-in DNS resolver
in the access point of your hotel, or an ISP resolver that for
some reason is set to monetise particular kinds of queries), there
are other threats such as the hijacking for DNS for popular or
critical sites.
Additionally, digital signing of zone content is needed before you
can trust other secure data that might be stored in the DNS such
as cryptographic public keys, e.g. SSH host keys and DANE data.
RFC 3833 - Threat Analysis of the Domain Name System (DNS):
http://tools.ietf.org/html/rfc3833
If a DNS zone is DNSSEC-signed but the signatures fail validation,
the query will typically fail with a SERVFAIL response instead of
the expected answer.
- Do I need to do anything?
No; validation is configured in the resolver, and BitFolk runs the
resolvers that are listed by default in your /etc/resolv.conf.
More and more resolvers will start enabling DNSSEC so you may like
to test it out for yourself ahead of time though.
- I'm running a DNS server on my VPS for my domain. Do I need to change
anything?
No; this is about the DNS resolvers you use which are defined in
your /etc/resolv.conf, not any DNS server you might be running to
serve authoritative DNS data. Whether or not you enable DNSSEC
signing for your domain is a separate (and more complicated)
issue.
- Does this mean bitfolk.com will be DNSSEC-signed?
No; having resolvers that validate DNSSEC signatures is a necessary
first step before we can consider DNSSEC-signing bitfolk.com and
bitfolk.co.uk.
- Am I secure as soon as this is enabled?
Only if the domains you query have enabled DNSSEC. And only for
the things that DNSSEC actually protects you against.
If you have any further questions about any of this, please do reply
here or contact us off-list at support(a)bitfolk.com.
Cheers,
Andy
¹ Thread on users list starts here:
http://lists.bitfolk.com/lurker/message/20130326.230706.21113786.en.html
--
http://bitfolk.com/ -- No-nonsense VPS hosting
> The optimum programming team size is 1.
Has Jurassic Park taught us nothing? — pfilandr
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hello,
I need to renew a RapidSSL wildcard SSL certificate and I feel like
shopping around. Who on this list sells them or knows people who do?
Must provide VAT receipt, or else be so cheap that the inc VAT total
is still cheaper.
People from a certain other mailing list will probably recommend
MDH, so I've already sent a query in that direction. Just thought
I'd see if anyone here is reselling.
Thanks!
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
> I'd be interested to hear any (even two word) reviews of their sofas…
Provides seating. — Andy Davidson
Hi.
Did anyone else have problems with the debian bind update last night? I
woke up to find it'd hung during the update (I have cron-apt set to
autoupdate), and I'd been without a DNS server for 6 hours.
(yes, I know I'm taking risks with auto update etc)
Michael
Hi,
At approximately 00:45Z this morning, customers with DNS domains
hosted by BitFolk would have started receiving lots of CRITICAL and
then RECOVERY alerts which went on through the night. Also,
customers who monitor external DNS servers with their own software
may have seen similar issues.
This was due to rate-limiting of UDP/53 traffic put in place by our
transit provider without our prior knowledge. I have been in
discussion with them and the change was backed out at around 08:20Z.
There is no need for you to take any action.
We are still investigating the full extent of what took place. If
you have any evidence that DNS queries (other than those from your
monitoring software) failed, I would be interested to know. Please
do let me know off-list.
Now that the rate-limiting is disabled I do not expect further
problems but I will follow up on what happened when I have more
information.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Given that Google's Public DNS recently enabled DNSSEC validation:
http://googleonlinesecurity.blogspot.co.uk/2013/03/google-public-dns-now-su…
it's probably way beyond time to make some serious effort to enable
this at BitFolk.
Unbound is used here for resolvers:
http://unbound.net/
but it doesn't currently have the "validator" part enabled.
Since it is possible that there will be domains out there that have
broken DNSSEC records but nobody yet noticed (a lot less likely now
that Google's DNS validates), I don't think it would be acceptable
to just turn on validation with no notice. We're going to give you
at least 30 days of notice.
Is there anything more that you think should be done?
We could put up a test instance of Unbound with validation enabled
and you could switch to using it, to see if anything breaks. Is that
something that any of you think you would bother with?
On to logging.
Should validation failures be logged on production resolvers? On the
plus side, if you are experiencing one then you could ask us to look
in the logs to see why. On the negative side, it means we'll
casually stumble across records of tons of queries that customers
make, which is a privacy concern.
Note that if you are particularly keen on DNSSEC validation then
there's nothing stopping you installing a DNS resolver on your own
VPS today and using that.
Also that in theory enough diagnostic sites exist out there for you
to not need resolver logs.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Although BitFolk only officially supports 32-bit VMs at present, a
couple of customers have installed 64-bit Linux distributions. They
have then found the rescue environment not particularly useful since
its 32-bit kernel can't execute any of their binaries.
I have now done an upgrade of the rescue environment's image to
Debian wheezy and used a 64-bit install. An x86_64 kernel can
execute i686 binaries as well, so this will work for everyone and is
in any case a prerequisite for supporting 64-bit installs.
For more information on the rescue environment:
https://tools.bitfolk.com/wiki/Rescue
(General support for 64-bit installs is still not here, but is not
far off, and is a topic for another day)
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Between around 1715Z and around 1940Z today there was intermittent
packet loss on both IPv4 and IPv6 to some destinations.
This coincided with some planned maintenance by our transit provider
so it was initially thought that something had gone wrong there. It
has so far been determined that it was actually a problem at the
LINX peering point, and unrelated to their maintenance.
Now that they've shifted traffic temporarily away from LINX the
issue appears to have been resolved.
Apologies for any disruption this may have caused you.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
I've been having an VNC issue to a Xen Windows guest where the VNC
viewer reports it has disconnected if I raise the windows desktop above
a certain resolution. Unfortunately, I now have a situation where I
can't connect at all because the rez is above that value and I can't
turn it down... because I can't get connected because VNC dies.
Someone said I should really change from using QEMU+VNC to SPICE to
provide my remote desktops (I understand it also either does or will
provide cool stuff like remote audio and USB support). I've looked at
the SPICE website and I'm really not getting the documentation. I'm not
even sure if it's already installed on Xen 4.2.0.
Is there anyone that has used SPICE that could give me the quick
introduction please?
Thanks,
Paul.
