↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
Who | What | When | |
---|---|---|---|
*** | shansa has quit IRC (Quit: leaving) | [00:03] | |
RandalSchwartz | shutdown -h now turns on "power off" processing
works better in virtualbox, anyway | [00:11] | |
*** | nakano is now known as nakano_ | [00:19] | |
........ (idle for 35mn) | |||
smokey_ has joined #arpnetworks
smokey_ is now known as yekoms | [00:54] | ||
..... (idle for 20mn) | |||
schmir has joined #arpnetworks
LT has joined #arpnetworks | [01:14] | ||
nakano_ is now known as nakano | [01:26] | ||
........................ (idle for 1h57mn) | |||
schmir has quit IRC (Remote host closed the connection)
schmir has joined #arpnetworks schmir has quit IRC (Remote host closed the connection) | [03:23] | ||
schmir has joined #arpnetworks | [03:38] | ||
.......... (idle for 48mn) | |||
ziyourenxiang has joined #arpnetworks | [04:26] | ||
............ (idle for 57mn) | |||
Lefty has quit IRC (Remote host closed the connection)
ziyourenxiang has quit IRC (Quit: ziyourenxiang) | [05:23] | ||
............. (idle for 1h4mn) | |||
shansa has joined #arpnetworks | [06:28] | ||
........ (idle for 37mn) | |||
shansa has quit IRC (Quit: leaving) | [07:05] | ||
........ (idle for 35mn) | |||
Ehtyar has quit IRC (Remote host closed the connection) | [07:40] | ||
.... (idle for 17mn) | |||
unenana has joined #arpnetworks
unenana has quit IRC (Client Quit) | [07:57] | ||
.... (idle for 17mn) | |||
schmir has quit IRC (Remote host closed the connection) | [08:17] | ||
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [08:23] | ||
......... (idle for 44mn) | |||
schmir has joined #arpnetworks | [09:07] | ||
LT has quit IRC (Quit: Leaving) | [09:16] | ||
schmir has quit IRC (Remote host closed the connection) | [09:26] | ||
schmir has joined #arpnetworks | [09:32] | ||
schmir has quit IRC (Remote host closed the connection) | [09:38] | ||
schmir has joined #arpnetworks
schmir has quit IRC (Remote host closed the connection) wallshot has joined #arpnetworks | [09:51] | ||
wallshot | seems after you hit "professional" level on the he.net ipv6 certs, godaddy dns no longer cuts it
they serve up AAAA records, but they aren't themselves on ipv6 | [09:53] | |
*** | nakano is now known as nakano_ | [09:58] | |
RandalSchwartz | too bad
not ipv6 ready lots of them aren't hover.com for example | [10:01] | |
*** | Lefty has joined #arpnetworks | [10:02] | |
wallshot | it's a shame, because it's SO easy to get on ipv6
and bind it to your ns any company with half a budget shouldn't have a problem with it | [10:04] | |
RandalSchwartz | there's a lot of legacy code, and some people don't understand how close we are, or disagree with it | [10:06] | |
toddf | disagree. muhahahahaha. thats tame. I've had people shout at me that IPv6 is doomed to failure because of its academic qualities and ignorance of the past. (academic qualities = too many options, initially no PI space for companies, etc; ignorance of past = early v4 adopters got grandfathered clauses of royalty free IPv4 PI space; so `ancient' internet gurus have to suddenly fork over $2500 per year for similar in IPv6 land w/no option of multih | [10:09] | |
wallshot | boo hoo | [10:10] | |
toddf | note I'm not one of the early adopters (although had I been cluefull enough at the time I should have been *sigh*) and I ignore the academic fluff that makes life !fun; I get more IP's than I have systems with IPv6 and I can't fork over $1k/mo just to get `justifiable' IPv4 addresses that are not multihomed anyway, so IPv6 looks much better to me the way I run my home and office nets at this point in time ;-)
and $1k/mo would get me 1/4 the bandwidth I currently have .. yay | [10:11] | |
wallshot | well
the same people who horde diamonds and rubies would love to keep hoarding a decreasing supply of ipv4 in increasing demand environment just keep raising the price and making money off of not actually doing anything other than shouting "dibs!" first like domain squatters i don't see how "we want to control all the spice" is a valid jusitfication for preventing the release of spicev6 | [10:12] | |
toddf | with the internet though it encourages more nat layers. sucks even more. mobile phone operators justify IPv6 with battery life and customer happiness due to no NAT on the firewall so persistent long lived tcp connections vs re-transmitting packets to twiddle the states in an agressively timing out nat firewall .. makes sense to me ;-) | [10:14] | |
wallshot | ooh didn't know the telco argument in favor of ipv6, that's neato
yeah nat is sorta an ugly hack tho i do consider NAT a major part of my windows security precautions ;) | [10:14] | |
toddf | its not so much "we want to control" from their perspective as it is "if we are to make the transition and even play in the new stuff, how is $2.5k/yr for !equivalent anything but disinsentive?"
let me explain a myth away NAT does not provide any security if you have a properly setup firewall | [10:15] | |
wallshot | not "any" security? | [10:15] | |
toddf | which does not permit any packets in only outbound connections you get the same security as NAT with publically numbered windows systems | [10:15] | |
wallshot | you gonna be able to winnuke my 192.168 windows box from the internet?
yes you could do that too | [10:15] | |
toddf | NAT does not in itself provide any security | [10:16] | |
wallshot | though most home routers don't give you shit for control over the firewall | [10:16] | |
toddf | it is the firewall policy that does | [10:16] | |
wallshot | you just said it yourself
NAT has the same effect as certain firewall policy | [10:16] | |
toddf | correct | [10:16] | |
wallshot | obviously you could use firewall instead of nat | [10:16] | |
toddf | at least you acknowledge the two are equivalent | [10:16] | |
wallshot | but my home router doesn't offer me choices about what "firewall enabled" actually means
yes | [10:16] | |
toddf | I've had ``security experts'' literally kick me out of being service provider for $client because they said my plan to publically number windows sytems is stupid and a bad security decision because nat is security blah blah | [10:17] | |
wallshot | i aknowledge it only buys the "no random connections from public internet onto my tcp/139 open widnows machine
pffffff nat's "security" is like a side effect of the hack to get more ip space | [10:17] | |
RandalSchwartz | apparently, ios v4 is ipv6-ready
v3 isn't though and AT&T isn't ready everywhere yet | [10:19] | |
toddf | NAT's ``security'' is a side effect of the `optimize for the common scenario' when everyone is using it. there are so many NAT environments that the cookie cutter factories have found that firewalls w/out nat are so uncommon that they just optimize that option out of the equation and make boatloads due to their `simple' little devices ;-(
cisco ios has had IPv6 for a long time, some bigger routers don't do IPv6 in hardware like they do IPv4 hence some big players won't budget budget | [10:19] | |
RandalSchwartz | you could get exactly what nat is doing for you with a stateful firewall | [10:20] | |
toddf | tmobile has a publically announced IPv6 trial going
comcast has a publically announced IPv6 trail going I wish cox did, but 1 out of 2 in the US isn't bad .. now I justneed a N900 so I can talk IPv6 from OpenBSD over the tethered connection and I'd be right as rain randalschwartz: see the top of the discussion, that's what I stated, in different words | [10:20] | |
wallshot | yeah i've used ipf happily for that. haven't dived into pf yet tho :/ | [10:22] | |
toddf | wallshot: you'll be surprised how `simple' pf is ... | [10:22] | |
RandalSchwartz | yeah, I picked up pf in no time
just start simple. | [10:27] | |
*** | shansa has joined #arpnetworks | [10:33] | |
wallshot | i found ipf to be simple after ipfw
no more rule numbers to organize was handy tho obviously there were pros/cons with that change | [10:33] | |
............... (idle for 1h10mn) | |||
jpalmer | wallshot: what is your username on he.net's cert thing? | [11:44] | |
wallshot | jprather
i bumped myself up a bit today :) am on to the add-glue step course i have no friggin clue wtf glue is so i'm googling a bunch :) | [11:46] | |
jpalmer | I saw, thought that was you.
in your registrar.. it's where you setup a new nameserver for like ns1.yourdomain.com the "glue" is the IP you associate with it. they're looking for an IPv6 record. | [11:47] | |
wallshot | oh
i already ... wait no i used hostnames i had to use he.net's dns since godaddy's had no ipv6 of its own | [11:49] | |
jpalmer | if you used someone elses DNS servers, you didn't need glue records. | [11:50] | |
wallshot | ns2.he.net through ns5.he.net seem to all be dual stacked | [11:50] | |
jpalmer | yes, but there won't be any glue records for ns?.he.net for your domain. those glue records will only exist for the he.net domain
I guess we should start with a glue record actually does. ;) | [11:51] | |
wallshot | hah i'm sure there's a page that can save you some breath :) | [11:51] | |
jpalmer | lets say I own foo.com, and I want to run my own nameserver.. ns.foo.com
I go tell my registrar "use ns.foo.com" | [11:51] | |
wallshot | right | [11:52] | |
jpalmer | now, someone else comes along.. and they want to resolve "www.foo.com" | [11:52] | |
*** | nakano_ is now known as nakano | [11:52] | |
wallshot | whois tells them it's ns.foo.com's call | [11:52] | |
jpalmer | the TLD nameservers will say "www.foo.com is run by ns.foo.com" but this is where you run into a problem.
if it's looking up the info for foo.com, and your info is HOSTED by the foo.com nameserver, there is nothing to look up, because the server it's tring to use, also houses the record for ns.foo.com | [11:53] | |
wallshot | yes, that's why i avoided going with ns1.mydomain
saw a chicken and egg issue | [11:54] | |
RandalSchwartz | but that's where *glue* comes in :) | [11:54] | |
wallshot | chose to let a turtle lay the chicken egg instead :) | [11:54] | |
jpalmer | the "glue record" is the IP you add to your registrar. it tells all the TLD nameserver "ns.foo.com is over there at 1.2.3.4" | [11:54] | |
RandalSchwartz | registrar provides not only the NS, but also the A/AAAA | [11:54] | |
wallshot | ooooooooh that's handy crap | [11:55] | |
jpalmer | so, to pass this stage, #1) understand the glue record. and #2, go to your registrar.. register a nameserver under your domain, and point it's A and AAAA record (at the registrar) to your nameserver (where you are running BIND or whatnot) | [11:56] | |
wallshot | apparently i cheated and got past it using he.net's nameservers :) | [11:56] | |
jpalmer | doh! | [11:56] | |
wallshot | i r teh sage of uberness
but i must go look @ th is glue cuz i don't want my arpnetworks vps to rely on he.net dns | [11:56] | |
jpalmer | well, ok. but, even though you passed it.. take a few minutes to learn and understand glue ;) | [11:56] | |
wallshot | exactly!
yeah this "certification" isn't un-cheatable by a longshot tho it's almost as easy to do it right as to cheat, plus those who bother to do it are nerdy enough to care to do it right if they can figure it out prolly :) | [11:56] | |
jpalmer | it's fun.. and it does help some people learn about a few things. which ultimately, is HE's goal. they want people to learn about IPv6.
but the term "certification" is used rather loosly there, IMO :P so, you got your delegation all strightened out? | [11:57] | |
wallshot | aah host summary i'm guessing
set host and ip address well this morning i logged in, and i could resolve one of my ipv6's from my office an hour later, i couldn't | [11:58] | |
jpalmer | not knowing who your registrar is.. I would say that *sounds* like it's the right ballpark, yes. | [11:58] | |
wallshot | but the guy had just made the change this morning from ip to hostname | [11:59] | |
jpalmer | whats your IPv6 addy again, I'll check | [11:59] | |
wallshot | so maybe crap's bouncing around funny
2607:f2f8:a460::2 dig with +trace was working today while normal resolution was giving "no servers could be reached" but i haven't added my glue yet :) i really have no idea if slow propagation, or arp's most recent changes or something else is mucking with me. but that's my fault for changing my mind and requesting ip's then hostnames and crap actually, the dig with +trace seems to be timing out now, at what should probably be my own NS | [11:59] | |
jpalmer | I made the same mistake. don't fret it. | [12:01] | |
wallshot | arp has now delegated it to ns1.6-for.me
which is resolving for me to ::5 and which i can get nslookup resolutions out of so i'm not sure why dig seems to timeout | [12:02] | |
tooth | only on +trace? | [12:08] | |
wallshot | on everything
as simple as this does too: host 2607:f2f8:a460::2 but the +trace makes it look like it's fine right up until it should be at my ns | [12:12] | |
tooth | if by chance, you're using djbdns, it doesn't respond well to +trace (took a while of searching to find that one) | [12:13] | |
wallshot | using bind that comes with 8.1 | [12:13] | |
tooth | apparently mr djb thinks it
s some security thing or you shouldnt be doing that, so it's ignored | [12:13] | |
wallshot | nice | [12:14] | |
tooth | or some such | [12:14] | |
wallshot | yeh it seems to get right up to where it's supposed to ask my own nameserver for info and just times out
http://pastebin.ca/1949820 but then something like this works fine: host 2607:f2f8:a460::2 ns1.6-for.me bloody weird gonna run across street and grab some food bbiab | [12:14] | |
jpalmer | wallshot: the +trace was working yesterday, but you didn't have delegation. I think there is a misconfiguration somewhere.
(and if the above is true about djbdns blocking +trace, he's more paranoid than I remember from my qmail days. | [12:23] | |
tooth | https://forum.bytemark.co.uk/comments.php?DiscussionID=1247
THERE it is. (that was for my own edification as much as anyone else in here, as it's topical for the moment) | [12:29] | |
jpalmer | *nod*
interesting. so you can't use your own NS for troubleshooting. you have to use an outside NS. heh I ran sendmail for years. then one day I tried qmail. and I was like "damn, this is great" and ran qmail for a few years. then I moved on, and realize how.. not-great it really was. I'm going to venture a guess and say.. djbdns is probably along the same lines. | [12:31] | |
tooth | it's slightly easier
since it's less invovled. you just kinda set up dns and leave it alone (generally) and it's tiny. | [12:36] | |
jpalmer | easier, at what cost though. thats my point. qmail was easier.. at (what I see now as) a fairly significant cost. | [12:36] | |
RandalSchwartz | I can't imagine anything being much easier than postfix now
especially if you have anything complex | [12:38] | |
wallshot | <3 postfix
it's what i setup for my ipv6 tests | [12:38] | |
tooth | yeah. also <3 postfix
the advanttages of qmail/djbdns aren't really valid as much anymore. They excell at tiny footprints and crazyparanoia implementations | [12:38] | |
RandalSchwartz | RandalSchwartz wanders off for lunch | [12:39] | |
jpalmer | of course, to be fair.. back then.. a lot of the "at what cost" with qmail was in it's restrictive license. everytime I wanted to add some basic functionality, I had to patch and recompile. now with him having loosened it, a lot of things may be different. I'm happy enough with postfix, that I don't intend to find out ;) | [12:39] | |
tooth | i mean, djbdns was not affected by that dns thing the other year | [12:40] | |
mike-burns | DJB's software has the other cost where you have to install his rewrite of unix in order to use his stuff. | [12:43] | |
wallshot | wow it's changed? | [12:43] | |
tooth | yeah. that too. :-[12:43] <wallshot> i went to postfix years ago from qmail for my toaster needs -because- of all the bullshit patching required | [12:43] | |
wallshot | can't easily portupgrade crap when you have to manually patch crap left and right | [12:43] | |
tooth | also, something a little more contemporary than 1998? | [12:43] | |
wallshot | postfix always compiled in the support i needed with the port build | [12:44] | |
tooth | or whenver the last release of qmail is | [12:44] | |
wallshot | no hax necessary | [12:44] | |
jpalmer | yeah, without getting into the whole "$foo > djbware" thing.. I got burnt out on catering to djbware several years ago. no desire to revisit that period. | [12:44] | |
wallshot | i fewlt it was too much like teh linuxy hack-it method for upgrades
didn't wanna manually waste time on crap doing version bumps | [12:46] | |
toddf | are there TLD's today that permit IPv6 glue for ns records beyond .com and .net ? | [12:46] | |
jpalmer | toddf: according to he.net's widget, 242 of 294 TLD's allow IPv6 glue | [12:47] | |
toddf | jpalmer: oh wow, nice | [12:48] | |
jpalmer | mind you, thats the only place I looked and didn't verify. but, I'd tend to believe HE when it comes to IPv6 matters ;) | [12:48] | |
toddf | I've not interrogated godaddy.com lately
I was all setup to do .com .net and .org ns's for my company for redundancy and turns out I had to redo my zone files when I found out .org didn't work at the time | [12:49] | |
.... (idle for 17mn) | |||
jpalmer | redundancy meaning, at the TLD level?
s/TLD/TLD NS/ | [13:07] | |
*** | Ehtyar has joined #arpnetworks | [13:20] | |
shansa | people use zfs here? | [13:25] | |
nesta | only noobs like RandalSchwartz
jokin :P | [13:27] | |
shansa | I'd like to try it for the sake of it, but not sure wether it's worth it.
and it seems like it's fairly ram consuming and ufs works .. but i'm bored, so... :-p | [13:28] | |
nesta | I say
do not learn something else :) | [13:29] | |
wallshot | i love this ipv6 test
"in linux, what kernel module must be loaded in order to use ipv6 networking" and i thought "in 2010, they need to load a module to enable ipv6? wow." cuz i could swear it's been available forever and probably ought to be in most generics | [13:36] | |
tooth | well, itsthereby default i think | [13:38] | |
wallshot | oh. so then it's sorta a lame question | [13:38] | |
tooth | it's there by*
i think. | [13:38] | |
wallshot | yeah i would imagine it should be compiled in by default on most distros now | [13:38] | |
shansa | wallshot: it is. often as a module, sometimes not. Makes no difference. Linux loads modules automatically anyway. | [13:39] | |
jpalmer | well, it's not really a lame question, in the sense that if you want to disable ipv6, you'd also *unload* that module. | [13:40] | |
wallshot | there's nothing in the test about "what is included in GENERIC in freebsd but which you may want to disable to kill ipv6?"
it seems a rather obscure question and not nearly as relevant as "what is NOT in generic that you must load to use ipv6" tho i suppose it is still knowledge, that, in the right situation, could prove useful oooh misinformation from wikipedia no surprise | [13:40] | |
tooth | correct it and cite? ;-) | [13:46] | |
wallshot | that would be responsible! | [13:47] | |
tooth | oh, you're right.
forgtive me | [13:47] | |
wallshot | have i mentioned how much i'm enjoying arpnetworks
i like the fbsd support, i like the prices, and i love the ipv6 | [13:47] | |
mhoran | Loves it. | [13:49] | |
tooth | also the same reasons i signed up | [13:50] | |
jpalmer | I personally like the FreeBSD side. but, I'm currently running CentOS in it, evaluating for a client. | [13:51] | |
toddf | you can always use OpenBSD where you don't have to ask such silly questions as 'what to kill/load/disable/etc' and it just works. ;-) | [13:54] | |
shansa | arp is sweet indeed | [13:55] | |
nesta | OpenBSD is horrific
j/k :P | [13:56] | |
RandalSchwartz | openbsd got me through some tough years. :)
and theo's paranoia helped me sleep at night | [13:56] | |
nesta | your sleep seems dependent on servers
hehe :S | [13:57] | |
RandalSchwartz | on servers not being cracked while I was asleep, yes. | [13:58] | |
*** | shansa has quit IRC (Quit: leaving) | [13:59] | |
...... (idle for 26mn) | |||
nesta | cracked! | [14:25] | |
.................... (idle for 1h35mn) | |||
*** | schmir has joined #arpnetworks | [16:00] | |
wallshot | dang trick questions
the ansewr isn't yes or no! it's "almost never" | [16:03] | |
*** | mike-burns has quit IRC (*.net *.split)
toddf has quit IRC (*.net *.split) schmir has quit IRC (Remote host closed the connection) mike-burns has joined #arpnetworks toddf has joined #arpnetworks hubbard.freenode.net sets mode: +oo mike-burns toddf | [16:20] | |
schmir has joined #arpnetworks | [16:31] | ||
........ (idle for 38mn) | |||
wallshot | if you setup glue, is it wise to have redundant AAAA record for the ns in your domain's zone file, or just risking conflict? | [17:09] | |
*** | sbp_ has joined #arpnetworks
sbp_ has quit IRC (Client Quit) schmir has quit IRC (Remote host closed the connection) | [17:11] | |
jpalmer | what do you mean by redundant AAAA record? | [17:14] | |
wallshot | let's see... 5 daily tests * 1point each ... about 119 days to get the 595 points i'd need to hit 1500
i mean if the TLD has a AAAA record for my ns host | [17:15] | |
jpalmer | WRONG!
wallshot: you should still have the IN NS listed in your zonefile. | [17:15] | |
wallshot | right, as a IN NS
but not a IN AAAA ? | [17:15] | |
jpalmer | well, the IN NS is going to be a named server ns1.foo.com | [17:16] | |
wallshot | ns IN AAAA my-ns-ipv6-addr ... is redundant with the glue right?
so shouldn't be necessary | [17:16] | |
jpalmer | then, you'd create an A and AAAA record for the ns1
example: @ IN NS ns1.foo.com. ns1 A 1.2.3.4 ns1 AAAA 2001::foo.blah | [17:16] | |
wallshot | so even though the glue was setup for TLD to point ns1.foo.com to 1.2.3.4, i should add A records in foo.com zonefile for it anyway | [17:17] | |
jpalmer | you always want everything referenced completely in your zonefile. | [17:17] | |
wallshot | this is probably good because it's what i'd done. was afraid i'd make some conflict
o excellent | [17:17] | |
jpalmer | btw: did you setup glue yet? did you test it with dig? | [17:18] | |
wallshot | i added a host
i think it's glued but it said could take up to 48 hours for host changes | [17:19] | |
jpalmer | what is your domain name? | [17:19] | |
wallshot | and am not sure how to dig for the glue
6-for.me it's not pointing at my glue yet it's still using he.net nameservers, since the glue hadn't set yet... but the nameserver resolves so perhaps i should just switch it now oooh i totally jacked up the NS entries didn't change my zone to match when i put he.net nameservers in there i really am setting this domain up the slow way | [17:19] | |
jpalmer | I don't see glue records
dig NS 6-for.me @ns.nic.me brb. 15 mins | [17:21] | |
wallshot | i suspect because i didn't stick my domain to the glue? | [17:22] | |
jdoe | er
you want glue records in your zone file but glue records for the domain need to be set by your registrar. | [17:22] | |
wallshot | i created NS Host ns1.6-for.me -> 2607:f2f8:a460::5. but hadn't actually pointed my NS to ns1.6-for.me yet | [17:23] | |
jdoe | er
sorry, glue records at the tld's nameservers need to be set by your registrar. | [17:23] | |
wallshot | yeah, then make them match with AAAA records in my zonefile
and point my NS records at them :) wallshot gets to updating i think i see how i typo broke my ipv4 A records which mighta jacked up digs over ipv4 for ipv6 resolution pointing ns1.foo.com at an ipv4 that named isn't listening to == good way to break stuff guess i can bind to that ip until fix propagates totally explains why it seemed to work when i got in this morning and how i had somehow broken it in minutes fail on transcribe records from godaddy's dns to he.net's dns | [17:23] | |
*** | shansa has joined #arpnetworks | [17:35] | |
wallshot | win, win, win, discovering ugly typo fixes everything! | [17:36] | |
jdoe | go team :P | [17:38] | |
jpalmer | back | [17:51] | |
wallshot | wb! as u can see from scrolling up, i found a typo that was killing my reverse resolution
specifically, if named is bound on .114 and .116, don't type .115 into the A record for ns1.foo.com in the zone file i already had it as .116 on godaddy so i musta brainfarted or fingerfarted typing out the addresses on he.net | [17:51] | |
jpalmer | yeh, I mentioned earlier that I thought something else was wrong. good catch
so, I've been trying to get my HE.net tunnel to work correctly on dd-wrt. I get the tunnel up. radvd seems to advertise the space (clients get IPv6 IP's) but I can't ping6 anything beyond the client address of my router. | [17:52] | |
wallshot | possible that protocol41 isn't fully implemented across the router?
i failed miserably to get he.net tunnel working over my home router i tried it on my arpnetworks vps, and it worked right away with the example configuration commands he.net provides for "Freebsd >= 4.4" so i figured either my router's natting, or firewalling, or something, is jacking up he.net's tunneling. though weather it's a protocol41 incompatibility or something else i have no clue | [17:56] | |
jpalmer | well, I'd buy that *if* so many other people wren't having success, OR.. if the tunnel couldn't be brought up directly on my laptop ;) | [17:57] | |
wallshot | so i'm still using freenet6 for my laptop's ipv6 from the home network
i'd suspect i overlooked something (since i found no reported problems with using it over nat, except for old routers that don't do protocol41) cept that it worked right off the bat on my non-nat vps tho now i do suspect my router oooh reverse is working gloriously! | [17:57] | |
jpalmer | nice, grats. | [18:00] | |
RandalSchwartz | I don't think he.net tunnels use 41
I think it's straight ipv4 it'd have to be, because I can bring up my he.net laptop tunnel pretty much anywhere that I can see the net | [18:00] | |
wallshot | orly. everything i could find suggested protocol41 would be major cause of failure, but that mighta been random comments about tunneling in general | [18:01] | |
RandalSchwartz | 41 is where you're using a "nearby" 6-to-4 gateway
and the routers have to cooperate he.net is strictly "6 in 4" so all your packets go inside a normal ipv4 tunnel nobody between here and there is the wiser usable just about everywhere but less flexible, because the endpoint is fixed | [18:01] | |
wallshot | oooh i musta read some misinformation about tunnels failing due to protocol41 not being passed by routers | [18:02] | |
jpalmer | ok, now I goofed up something :P I can't even ping6 the router. heh | [18:02] | |
RandalSchwartz | as in, all my traffic goes to LA regardless of where it will eventually end up | [18:02] | |
wallshot | doh! | [18:03] | |
RandalSchwartz | whereas with proto41, it floods outward until it finds a willing 6-to-4 gateway | [18:03] | |
wallshot | oh god
that sounds ... messy | [18:03] | |
RandalSchwartz | no - it's just a normal set of routes
.. http://en.wikipedia.org/wiki/6in4 oops - not that... http://en.wikipedia.org/wiki/6to4 | [18:03] | |
wallshot | yeah so close but nto quite | [18:04] | |
RandalSchwartz | the trick is that the gateways anycast 192.88.99.1
and the routers pick up whomever's closest so your nearest router knows the route to the closest 192.88.99.1 ipv4 and then it turns into v6 for the rest of the way I've been using miredo instead of that provided I'm not deeply NATed, miredo works fine for casual v6 connectivity although it's a different v6 each time often, my miredo trafffic ends up on a nearby he.net gateway. :) kinda cute OSX snow leopard comes with miredo already installed too just need to enable the launchd item | [18:04] | |
wallshot | dig NS 6-for.me @ns.nic.me <--- is that glue I see, the AAAA records? | [18:11] | |
RandalSchwartz | Yeah... "additional section"
almost always means "glue" | [18:12] | |
wallshot | that's excellent | [18:12] | |
jpalmer | yes. BUT.. one problem. | [18:12] | |
RandalSchwartz | so presuming ns.nic.me is v6 reachable, you should be good | [18:12] | |
jpalmer | yu *only* have AAAA glue. you probably want to also have A glue. | [18:12] | |
RandalSchwartz | oh yeah - you need A glue | [18:12] | |
wallshot | oooh. that -is- a good idea!
should not neglect ipv4 | [18:12] | |
jpalmer | well, if you want to be reachable via ipv6 only, you're fine now :P | [18:13] | |
RandalSchwartz | one more round of support requests. :) | [18:13] | |
jpalmer | RandalSchwartz: ns.nic.me is a TLD for .me | [18:13] | |
RandalSchwartz | sure - but it might not support v6
some of the TLDs don't although most of them are coming around ns.nic.me has no AAAA record as I'm saying :) | [18:14] | |
jpalmer | oh, I see what you're saying. I thuoght you figured ns.nic.me was one of his NS's. chances are good though, if that wasn't ipv6, one of the other ones would be. | [18:14] | |
yekoms | do you all know of the new local root exploit? | [18:17] | |
wallshot | c0.cctld.afilias-nst.info. has ipv6
and is on the IN NS for .me list | [18:17] | |
RandalSchwartz | is there a quick query like "dig ns me" that additionally dumps their A or AAAA? | [18:18] | |
wallshot | and b0.cctld.afilias-nst.org. and b2.me.afilias-nst.org. and ... | [18:18] | |
RandalSchwartz | oh - yeah, of course afilias is on the ball
one of the biggest users of postgresql in the world :) I was setting up to do some consulting there for a bit postgresql and perl | [18:18] | |
wallshot | dig NS me. <-- worked for me | [18:19] | |
RandalSchwartz | root exploit for which OS | [18:19] | |
wallshot | shows 3 AAAA's and 5 A's | [18:19] | |
RandalSchwartz | wallshot - that didn't show me the A or AAAA records
probably because you have them cached already or something | [18:19] | |
wallshot | http://pastebin.ca/1950053
doubt i had all of them cached some, probably | [18:19] | |
RandalSchwartz | well - when I do that, I get 0 additional | [18:20] | |
yekoms | freebsd | [18:20] | |
RandalSchwartz | just the 8 NS records | [18:20] | |
yekoms | it works well on any 7.* and 8.* | [18:20] | |
wallshot | maybe my nameserver is being friendlier | [18:20] | |
yekoms | should h4x any freebsd 8.* and 7.* prior to 12Jul2010 | [18:20] | |
RandalSchwartz | bzip2/bunzup2 ... /me sighs | [18:20] | |
yekoms | it works on a few of my servers.. | [18:21] | |
wallshot | i assume you mean the mbuf advisory | [18:21] | |
yekoms | cept not my vps from here.. | [18:21] | |
wallshot | http://security.freebsd.org/advisories/FreeBSD-SA-10:07.mbuf.asc | [18:21] | |
yekoms | i guess. | [18:21] | |
RandalSchwartz | darn it - I gottta get around to upgrading my 3 older boxes to 8.1 too | [18:21] | |
wallshot | went out july 13 | [18:21] | |
jpalmer | when you said "new exploit" I thught you meant something newer than 6 weeks ago :P | [18:22] | |
RandalSchwartz | no - the bunzip was just a few days ago
... http://security.FreeBSD.org/advisories/FreeBSD-SA-10:08.bzip2.asc | [18:22] | |
wallshot | randalschwartz: if i dig NS me. @4.2.2.2, then i don't get extra
try it @208.79.88.7 | [18:22] | |
RandalSchwartz | Ahh, I'm using comcast's nameservers. no wonder | [18:23] | |
wallshot | (that latter one is arpnet's that my vps defaults to use) | [18:23] | |
yekoms | well i just foind it.. | [18:23] | |
RandalSchwartz | uh - 208.79.88.7 won't talk to me | [18:24] | |
jpalmer | damn, I dunno what I goofed up, but I still can't ping6 my router. | [18:24] | |
RandalSchwartz | no recursion
so I bet it's still cached somewhere for you | [18:24] | |
wallshot | maybe it only talks to me from my vps
was running the dig on there | [18:24] | |
RandalSchwartz | ahh!
@74.82.42.42 | [18:25] | |
wallshot | 4.2.2.2 was what i used for +trace info to actually show up (my home router 192.168.1.1 wouldn't even do that much) but if 4.2.2.2 isn't dishing out the AAAA/A records, i'm not sure what other nameservers would have that option enabled | [18:25] | |
RandalSchwartz | that's he.net's open recursive server | [18:25] | |
wallshot | excellent! | [18:25] | |
RandalSchwartz | and it shows ipv6 for www.google.com
normally you don't get that or at least, it did at one point. :) | [18:25] | |
wallshot | yeah i don't seem to be getting that
ipv6.google.com is the only way i know of to force google over ipv6 | [18:26] | |
RandalSchwartz | so ns.nic.me and ns2.nic.me are v4 only | [18:26] | |
wallshot | yeah they're lagging back in the 90's | [18:26] | |
shansa | google enables ipv6 for a few networks it deems reliable enough | [18:26] | |
RandalSchwartz | ahh - if you ask for aaaa explicitly, it works
... www.l.google.com.168INAAAA2001:4860:8010::67 ugh tabs :) | [18:27] | |
wallshot | my dns don't wanna give it to me even if i dig -t aaaa | [18:29] | |
jpalmer | oh, figured out the issue. I logged into the vps.. and can't ping the client side of my tunnel there either. appears the tunnel went down. | [18:29] | |
wallshot | good reason for it to not be available
wallshot validates address and selects tshirt size | [18:31] | |
*** | shansa has quit IRC (Quit: leaving) | [18:33] | |
jpalmer | wallshot: whats your score? 1000? | [18:33] | |
wallshot | not even
i hit sage with a score of like 500 then i found all the extra tests so i took them then i did 1 each of the daily tasks and am at 905 now | [18:33] | |
jpalmer | hmm. you're missing something then | [18:34] | |
wallshot | and i feel something's missing
cuz 5 daily tasks * 99 is 495 or so more points from those that's 1400 points. 100 is missing :/
| [18:34] | |
RandalSchwartz | I stopped at 1024 | [18:35] | |
wallshot | haha nice | [18:35] | |
RandalSchwartz | just because the rest is just busy works | [18:35] | |
wallshot | yeah the 1 a day thing | [18:36] | |
RandalSchwartz | I could script it, but who cares | [18:36] | |
wallshot | u do it for 2 days and u got the hang of it | [18:36] | |
RandalSchwartz | I did it for 5
then realized it's just a pain to keep finding new v6 domains that also have to be on different subnets | [18:36] | |
wallshot | wallshot compares 1500 score to his to see what's missing
i'm missing nothing from this 1500 score is it possible he.net math is jacked? wallshot adds up this 1500's points | [18:36] | |
jpalmer | your score is 1005 right now. | [18:37] | |
wallshot | my page not refreshed?
that explains the missing 100 points! | [18:37] | |
jpalmer | RandalSchwartz: http://sixy.ch | [18:38] | |
wallshot | i'm all about missing what's right in front of my face today | [18:38] | |
RandalSchwartz | oh wonderful. updating ports today upgrades emac :)
emacs | [18:38] | |
wallshot | see i just don't install emacs, so i never have to update it | [18:38] | |
RandalSchwartz | that'll be a while :)
hey - go see my interview about emacs org-mode | [18:39] | |
wallshot | sometimes i feel i'm missing out, but mostly, i'm happy with it | [18:39] | |
RandalSchwartz | people are switching to emacs *just* for org-mode | [18:39] | |
wallshot | all editors need orgy mode | [18:39] | |
RandalSchwartz | twit.tv/floss136 | [18:39] | |
wallshot | interesting | [18:39] | |
RandalSchwartz | or here's carsten at a google tech talk - http://www.youtube.com/watch?v=oJTwQvgfgMM | [18:40] | |
jpalmer | RandalSchwartz: I scripted it, I'll let crontab take me to 1500 :P
more correctly.. someone else scripted it. I just copied, pasted, and crontabbed. | [18:41] | |
wallshot | is that guy wearing his sunglasses indoors? | [18:41] | |
jpalmer | only two people wear sunglasses indoors. blind people and assholes. | [18:41] | |
wallshot | maybe they're corrective lenses that are just dark
haha oh wow i'm insensitive as i see a kid lead him back to his seat and realize he may actually be blind google == lies! "The only truly portable format, read and edit anywhere" | [18:42] | |
jpalmer | wallshot: one of the guys I work with was speacking at cluecon a year or two ago.. (thats actually his quote) he was drinking one night after his talk.. there was a guy in the bar with sunglasses on.. | [18:43] | |
wallshot | rtf is damn close!
tho console won't show rtf nicely, i confess it's a pretty accurate quote | [18:43] | |
jpalmer | he waled up to the guy, took his arm, and asid "I'll help you to your chair" the gey goes "get off me!" kris said "the only people that wear glasses indoors are blind people and assholes. I guess we know which one we;re dealing with here" | [18:44] | |
wallshot | hahahaha | [18:44] | |
jpalmer | holy crap, can't type on this MBP keyboard. | [18:44] | |
wallshot | that's great
i'm heading out for the night thanks for all the tips! | [18:44] | |
jpalmer | night man | [18:46] | |
wallshot | and good luck with routing that he.net tunnel, jpalmer!
guessing less hassle once tunnel isn't down :) | [18:46] | |
jpalmer | I'm not sure why it's actually down yet. but I'm beat. I may let it go until tomorrow. | [18:47] | |
wallshot | that always helps. then u find a ipv4 typo somewhere and facepalm like i did today
cya guys! | [18:50] | |
*** | wallshot has quit IRC (Quit: Leaving.) | [18:50] | |
.......... (idle for 46mn) | |||
yekoms has quit IRC (Ping timeout: 245 seconds) | [19:36] | ||
....... (idle for 34mn) | |||
awyeah has joined #arpnetworks | [20:10] | ||
awyeah | RandalSchwartz - heh. emacs. | [20:10] | |
........................ (idle for 1h55mn) | |||
*** | smokey_ has joined #arpnetworks | [22:05] | |
.... (idle for 19mn) | |||
smokey_ has quit IRC (Quit: Leaving) | [22:24] |
↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |