#arpnetworks 2010-09-27,Mon

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)
WhoWhatWhen
***shansa has quit IRC (Quit: leaving) [00:03]
RandalSchwartzshutdown -h now turns on "power off" processing
works better in virtualbox, anyway 		[00:11]
***nakano is now known as nakano_ [00:19]
........ (idle for 35mn)
smokey_ has joined #arpnetworks
smokey_ is now known as yekoms 		[00:54]
..... (idle for 20mn)
schmir has joined #arpnetworks
LT has joined #arpnetworks 		[01:14]
nakano_ is now known as nakano [01:26]
........................ (idle for 1h57mn)
schmir has quit IRC (Remote host closed the connection)
schmir has joined #arpnetworks
schmir has quit IRC (Remote host closed the connection) 		[03:23]
schmir has joined #arpnetworks [03:38]
.......... (idle for 48mn)
ziyourenxiang has joined #arpnetworks [04:26]
............ (idle for 57mn)
Lefty has quit IRC (Remote host closed the connection)
ziyourenxiang has quit IRC (Quit: ziyourenxiang) 		[05:23]
............. (idle for 1h4mn)
shansa has joined #arpnetworks [06:28]
........ (idle for 37mn)
shansa has quit IRC (Quit: leaving) [07:05]
........ (idle for 35mn)
Ehtyar has quit IRC (Remote host closed the connection) [07:40]
.... (idle for 17mn)
unenana has joined #arpnetworks
unenana has quit IRC (Client Quit) 		[07:57]
.... (idle for 17mn)
schmir has quit IRC (Remote host closed the connection) [08:17]
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[08:23]
......... (idle for 44mn)
schmir has joined #arpnetworks [09:07]
LT has quit IRC (Quit: Leaving) [09:16]
schmir has quit IRC (Remote host closed the connection) [09:26]
schmir has joined #arpnetworks [09:32]
schmir has quit IRC (Remote host closed the connection) [09:38]
schmir has joined #arpnetworks
schmir has quit IRC (Remote host closed the connection)
wallshot has joined #arpnetworks 		[09:51]
wallshotseems after you hit "professional" level on the he.net ipv6 certs, godaddy dns no longer cuts it
they serve up AAAA records, but they aren't themselves on ipv6 		[09:53]
***nakano is now known as nakano_ [09:58]
RandalSchwartztoo bad
not ipv6 ready
lots of them aren't
hover.com for example 		[10:01]
***Lefty has joined #arpnetworks [10:02]
wallshotit's a shame, because it's SO easy to get on ipv6
and bind it to your ns
any company with half a budget shouldn't have a problem with it 		[10:04]
RandalSchwartzthere's a lot of legacy code, and some people don't understand how close we are, or disagree with it [10:06]
toddfdisagree. muhahahahaha. thats tame. I've had people shout at me that IPv6 is doomed to failure because of its academic qualities and ignorance of the past. (academic qualities = too many options, initially no PI space for companies, etc; ignorance of past = early v4 adopters got grandfathered clauses of royalty free IPv4 PI space; so `ancient' internet gurus have to suddenly fork over $2500 per year for similar in IPv6 land w/no option of multih [10:09]
wallshotboo hoo [10:10]
toddfnote I'm not one of the early adopters (although had I been cluefull enough at the time I should have been *sigh*) and I ignore the academic fluff that makes life !fun; I get more IP's than I have systems with IPv6 and I can't fork over $1k/mo just to get `justifiable' IPv4 addresses that are not multihomed anyway, so IPv6 looks much better to me the way I run my home and office nets at this point in time ;-)
and $1k/mo would get me 1/4 the bandwidth I currently have .. yay 		[10:11]
wallshotwell
the same people who horde diamonds and rubies would love to keep hoarding a decreasing supply of ipv4 in increasing demand environment
just keep raising the price
and making money off of not actually doing anything other than shouting "dibs!" first
like domain squatters
i don't see how "we want to control all the spice" is a valid jusitfication for preventing the release of spicev6 		[10:12]
toddfwith the internet though it encourages more nat layers. sucks even more. mobile phone operators justify IPv6 with battery life and customer happiness due to no NAT on the firewall so persistent long lived tcp connections vs re-transmitting packets to twiddle the states in an agressively timing out nat firewall .. makes sense to me ;-) [10:14]
wallshotooh didn't know the telco argument in favor of ipv6, that's neato
yeah nat is sorta an ugly hack
tho i do consider NAT a major part of my windows security precautions ;) 		[10:14]
toddfits not so much "we want to control" from their perspective as it is "if we are to make the transition and even play in the new stuff, how is $2.5k/yr for !equivalent anything but disinsentive?"
let me explain a myth away
NAT does not provide any security
if you have a properly setup firewall 		[10:15]
wallshotnot "any" security? [10:15]
toddfwhich does not permit any packets in only outbound connections you get the same security as NAT with publically numbered windows systems [10:15]
wallshotyou gonna be able to winnuke my 192.168 windows box from the internet?
yes you could do that too 		[10:15]
toddfNAT does not in itself provide any security [10:16]
wallshotthough most home routers don't give you shit for control over the firewall [10:16]
toddfit is the firewall policy that does [10:16]
wallshotyou just said it yourself
NAT has the same effect as certain firewall policy 		[10:16]
toddfcorrect [10:16]
wallshotobviously you could use firewall instead of nat [10:16]
toddfat least you acknowledge the two are equivalent [10:16]
wallshotbut my home router doesn't offer me choices about what "firewall enabled" actually means
yes 		[10:16]
toddfI've had ``security experts'' literally kick me out of being service provider for $client because they said my plan to publically number windows sytems is stupid and a bad security decision because nat is security blah blah [10:17]
wallshoti aknowledge it only buys the "no random connections from public internet onto my tcp/139 open widnows machine
pffffff
nat's "security" is like a side effect of the hack to get more ip space 		[10:17]
RandalSchwartzapparently, ios v4 is ipv6-ready
v3 isn't though
and AT&T isn't ready everywhere yet 		[10:19]
toddfNAT's ``security'' is a side effect of the `optimize for the common scenario' when everyone is using it. there are so many NAT environments that the cookie cutter factories have found that firewalls w/out nat are so uncommon that they just optimize that option out of the equation and make boatloads due to their `simple' little devices ;-(
cisco ios has had IPv6 for a long time, some bigger routers don't do IPv6 in hardware like they do IPv4 hence some big players won't budget
budget 		[10:19]
RandalSchwartzyou could get exactly what nat is doing for you with a stateful firewall [10:20]
toddftmobile has a publically announced IPv6 trial going
comcast has a publically announced IPv6 trail going
I wish cox did, but 1 out of 2 in the US isn't bad .. now I justneed a N900 so I can talk IPv6 from OpenBSD over the tethered connection and I'd be right as rain
randalschwartz: see the top of the discussion, that's what I stated, in different words 		[10:20]
wallshotyeah i've used ipf happily for that. haven't dived into pf yet tho :/ [10:22]
toddfwallshot: you'll be surprised how `simple' pf is ... [10:22]
RandalSchwartzyeah, I picked up pf in no time
just start simple. 		[10:27]
***shansa has joined #arpnetworks [10:33]
wallshoti found ipf to be simple after ipfw
no more rule numbers to organize was handy
tho obviously there were pros/cons with that change 		[10:33]
............... (idle for 1h10mn)
jpalmerwallshot: what is your username on he.net's cert thing? [11:44]
wallshotjprather
i bumped myself up a bit today :)
am on to the add-glue step
course i have no friggin clue wtf glue is so i'm googling a bunch :) 		[11:46]
jpalmerI saw, thought that was you.
in your registrar.. it's where you setup a new nameserver for like ns1.yourdomain.com the "glue" is the IP you associate with it. they're looking for an IPv6 record. 		[11:47]
wallshotoh
i already ... wait no i used hostnames
i had to use he.net's dns since godaddy's had no ipv6 of its own 		[11:49]
jpalmerif you used someone elses DNS servers, you didn't need glue records. [11:50]
wallshotns2.he.net through ns5.he.net seem to all be dual stacked [11:50]
jpalmeryes, but there won't be any glue records for ns?.he.net for your domain. those glue records will only exist for the he.net domain
I guess we should start with a glue record actually does. ;) 		[11:51]
wallshothah i'm sure there's a page that can save you some breath :) [11:51]
jpalmerlets say I own foo.com, and I want to run my own nameserver.. ns.foo.com
I go tell my registrar "use ns.foo.com" 		[11:51]
wallshotright [11:52]
jpalmernow, someone else comes along.. and they want to resolve "www.foo.com" [11:52]
***nakano_ is now known as nakano [11:52]
wallshotwhois tells them it's ns.foo.com's call [11:52]
jpalmerthe TLD nameservers will say "www.foo.com is run by ns.foo.com" but this is where you run into a problem.
if it's looking up the info for foo.com, and your info is HOSTED by the foo.com nameserver, there is nothing to look up, because the server it's tring to use, also houses the record for ns.foo.com 		[11:53]
wallshotyes, that's why i avoided going with ns1.mydomain
saw a chicken and egg issue 		[11:54]
RandalSchwartzbut that's where *glue* comes in :) [11:54]
wallshotchose to let a turtle lay the chicken egg instead :) [11:54]
jpalmerthe "glue record" is the IP you add to your registrar. it tells all the TLD nameserver "ns.foo.com is over there at 1.2.3.4" [11:54]
RandalSchwartzregistrar provides not only the NS, but also the A/AAAA [11:54]
wallshotooooooooh that's handy crap [11:55]
jpalmerso, to pass this stage, #1) understand the glue record. and #2, go to your registrar.. register a nameserver under your domain, and point it's A and AAAA record (at the registrar) to your nameserver (where you are running BIND or whatnot) [11:56]
wallshotapparently i cheated and got past it using he.net's nameservers :) [11:56]
jpalmerdoh! [11:56]
wallshoti r teh sage of uberness
but
i must go look @ th is glue
cuz i don't want my arpnetworks vps to rely on he.net dns 		[11:56]
jpalmerwell, ok. but, even though you passed it.. take a few minutes to learn and understand glue ;) [11:56]
wallshotexactly!
yeah this "certification"
isn't un-cheatable by a longshot
tho it's almost as easy to do it right as to cheat, plus those who bother to do it are nerdy enough to care to do it right if they can figure it out prolly :) 		[11:56]
jpalmerit's fun.. and it does help some people learn about a few things. which ultimately, is HE's goal. they want people to learn about IPv6.
but the term "certification" is used rather loosly there, IMO :P
so, you got your delegation all strightened out? 		[11:57]
wallshotaah host summary i'm guessing
set host and ip address
well
this morning i logged in, and i could resolve one of my ipv6's from my office
an hour later, i couldn't 		[11:58]
jpalmernot knowing who your registrar is.. I would say that *sounds* like it's the right ballpark, yes. [11:58]
wallshotbut the guy had just made the change this morning from ip to hostname [11:59]
jpalmerwhats your IPv6 addy again, I'll check [11:59]
wallshotso maybe crap's bouncing around funny
2607:f2f8:a460::2
dig with +trace was working today while normal resolution was giving "no servers could be reached"
but i haven't added my glue yet :)
i really have no idea if slow propagation, or arp's most recent changes or something else is mucking with me. but that's my fault for changing my mind and requesting ip's then hostnames and crap
actually, the dig with +trace seems to be timing out now, at what should probably be my own NS 		[11:59]
jpalmerI made the same mistake. don't fret it. [12:01]
wallshotarp has now delegated it to ns1.6-for.me
which is resolving for me to ::5
and which i can get nslookup resolutions out of
so i'm not sure why dig seems to timeout 		[12:02]
toothonly on +trace? [12:08]
wallshoton everything
as simple as this does too: host 2607:f2f8:a460::2
but the +trace makes it look like it's fine right up until it should be at my ns 		[12:12]
toothif by chance, you're using djbdns, it doesn't respond well to +trace (took a while of searching to find that one) [12:13]
wallshotusing bind that comes with 8.1 [12:13]
toothapparently mr djb thinks it
s some security thing or you shouldnt be doing that, so it's ignored 		[12:13]
wallshotnice [12:14]
toothor some such [12:14]
wallshotyeh it seems to get right up to where it's supposed to ask my own nameserver for info and just times out
http://pastebin.ca/1949820
but then something like this works fine: host 2607:f2f8:a460::2 ns1.6-for.me
bloody weird
gonna run across street and grab some food
bbiab 		[12:14]
jpalmerwallshot: the +trace was working yesterday, but you didn't have delegation. I think there is a misconfiguration somewhere.
(and if the above is true about djbdns blocking +trace, he's more paranoid than I remember from my qmail days. 		[12:23]
toothhttps://forum.bytemark.co.uk/comments.php?DiscussionID=1247
THERE it is.
(that was for my own edification as much as anyone else in here, as it's topical for the moment) 		[12:29]
jpalmer*nod*
interesting. so you can't use your own NS for troubleshooting. you have to use an outside NS. heh
I ran sendmail for years. then one day I tried qmail. and I was like "damn, this is great" and ran qmail for a few years. then I moved on, and realize how.. not-great it really was. I'm going to venture a guess and say.. djbdns is probably along the same lines. 		[12:31]
toothit's slightly easier
since it's less invovled.
you just kinda set up dns and leave it alone (generally)
and it's tiny. 		[12:36]
jpalmereasier, at what cost though. thats my point. qmail was easier.. at (what I see now as) a fairly significant cost. [12:36]
RandalSchwartzI can't imagine anything being much easier than postfix now
especially if you have anything complex 		[12:38]
wallshot<3 postfix
it's what i setup for my ipv6 tests 		[12:38]
toothyeah. also <3 postfix
the advanttages of qmail/djbdns aren't really valid as much anymore. They excell at tiny footprints and crazyparanoia implementations 		[12:38]
RandalSchwartzRandalSchwartz wanders off for lunch [12:39]
jpalmerof course, to be fair.. back then.. a lot of the "at what cost" with qmail was in it's restrictive license. everytime I wanted to add some basic functionality, I had to patch and recompile. now with him having loosened it, a lot of things may be different. I'm happy enough with postfix, that I don't intend to find out ;) [12:39]
toothi mean, djbdns was not affected by that dns thing the other year [12:40]
mike-burnsDJB's software has the other cost where you have to install his rewrite of unix in order to use his stuff. [12:43]
wallshotwow it's changed? [12:43]
toothyeah. that too. :-[12:43] <wallshot> i went to postfix years ago from qmail for my toaster needs -because- of all the bullshit patching required [12:43]
wallshotcan't easily portupgrade crap when you have to manually patch crap left and right [12:43]
toothalso, something a little more contemporary than 1998? [12:43]
wallshotpostfix always compiled in the support i needed with the port build [12:44]
toothor whenver the last release of qmail is [12:44]
wallshotno hax necessary [12:44]
jpalmeryeah, without getting into the whole "$foo > djbware" thing.. I got burnt out on catering to djbware several years ago. no desire to revisit that period. [12:44]
wallshoti fewlt it was too much like teh linuxy hack-it method for upgrades
didn't wanna manually waste time on crap doing version bumps 		[12:46]
toddfare there TLD's today that permit IPv6 glue for ns records beyond .com and .net ? [12:46]
jpalmertoddf: according to he.net's widget, 242 of 294 TLD's allow IPv6 glue [12:47]
toddfjpalmer: oh wow, nice [12:48]
jpalmermind you, thats the only place I looked and didn't verify. but, I'd tend to believe HE when it comes to IPv6 matters ;) [12:48]
toddfI've not interrogated godaddy.com lately
I was all setup to do .com .net and .org ns's for my company for redundancy and turns out I had to redo my zone files when I found out .org didn't work at the time 		[12:49]
.... (idle for 17mn)
jpalmerredundancy meaning, at the TLD level?
s/TLD/TLD NS/ 		[13:07]
***Ehtyar has joined #arpnetworks [13:20]
shansapeople use zfs here? [13:25]
nestaonly noobs like RandalSchwartz
jokin :P 		[13:27]
shansaI'd like to try it for the sake of it, but not sure wether it's worth it.
and it seems like it's fairly ram consuming
and ufs works
.. but i'm bored, so... :-p 		[13:28]
nestaI say
do not
learn something else :) 		[13:29]
wallshoti love this ipv6 test
"in linux, what kernel module must be loaded in order to use ipv6 networking"
and i thought "in 2010, they need to load a module to enable ipv6? wow."
cuz i could swear it's been available forever and probably ought to be in most generics 		[13:36]
toothwell, itsthereby default i think [13:38]
wallshotoh. so then it's sorta a lame question [13:38]
toothit's there by*
i think. 		[13:38]
wallshotyeah i would imagine it should be compiled in by default on most distros now [13:38]
shansawallshot: it is. often as a module, sometimes not. Makes no difference. Linux loads modules automatically anyway. [13:39]
jpalmerwell, it's not really a lame question, in the sense that if you want to disable ipv6, you'd also *unload* that module. [13:40]
wallshotthere's nothing in the test about "what is included in GENERIC in freebsd but which you may want to disable to kill ipv6?"
it seems a rather obscure question and not nearly as relevant as "what is NOT in generic that you must load to use ipv6"
tho i suppose it is still knowledge, that, in the right situation, could prove useful
oooh misinformation from wikipedia
no surprise 		[13:40]
toothcorrect it and cite? ;-) [13:46]
wallshotthat would be responsible! [13:47]
toothoh, you're right.
forgtive me 		[13:47]
wallshothave i mentioned how much i'm enjoying arpnetworks
i like the fbsd support, i like the prices, and i love the ipv6 		[13:47]
mhoranLoves it. [13:49]
toothalso the same reasons i signed up [13:50]
jpalmerI personally like the FreeBSD side. but, I'm currently running CentOS in it, evaluating for a client. [13:51]
toddfyou can always use OpenBSD where you don't have to ask such silly questions as 'what to kill/load/disable/etc' and it just works. ;-) [13:54]
shansaarp is sweet indeed [13:55]
nestaOpenBSD is horrific
j/k
:P 		[13:56]
RandalSchwartzopenbsd got me through some tough years. :)
and theo's paranoia helped me sleep at night 		[13:56]
nestayour sleep seems dependent on servers
hehe
:S 		[13:57]
RandalSchwartzon servers not being cracked while I was asleep, yes. [13:58]
***shansa has quit IRC (Quit: leaving) [13:59]
...... (idle for 26mn)
nestacracked! [14:25]
.................... (idle for 1h35mn)
***schmir has joined #arpnetworks [16:00]
wallshotdang trick questions
the ansewr isn't yes or no! it's "almost never" 		[16:03]
***mike-burns has quit IRC (*.net *.split)
toddf has quit IRC (*.net *.split)
schmir has quit IRC (Remote host closed the connection)
mike-burns has joined #arpnetworks
toddf has joined #arpnetworks
hubbard.freenode.net sets mode: +oo mike-burns toddf 		[16:20]
schmir has joined #arpnetworks [16:31]
........ (idle for 38mn)
wallshotif you setup glue, is it wise to have redundant AAAA record for the ns in your domain's zone file, or just risking conflict? [17:09]
***sbp_ has joined #arpnetworks
sbp_ has quit IRC (Client Quit)
schmir has quit IRC (Remote host closed the connection) 		[17:11]
jpalmerwhat do you mean by redundant AAAA record? [17:14]
wallshotlet's see... 5 daily tests * 1point each ... about 119 days to get the 595 points i'd need to hit 1500
i mean if the TLD has a AAAA record for my ns host 		[17:15]
jpalmerWRONG!
wallshot: you should still have the IN NS listed in your zonefile. 		[17:15]
wallshotright, as a IN NS
but not a IN AAAA ? 		[17:15]
jpalmerwell, the IN NS is going to be a named server ns1.foo.com [17:16]
wallshotns IN AAAA my-ns-ipv6-addr ... is redundant with the glue right?
so shouldn't be necessary 		[17:16]
jpalmerthen, you'd create an A and AAAA record for the ns1
example: @ IN NS ns1.foo.com.
ns1 A 1.2.3.4
ns1 AAAA 2001::foo.blah 		[17:16]
wallshotso even though the glue was setup for TLD to point ns1.foo.com to 1.2.3.4, i should add A records in foo.com zonefile for it anyway [17:17]
jpalmeryou always want everything referenced completely in your zonefile. [17:17]
wallshotthis is probably good because it's what i'd done. was afraid i'd make some conflict
o excellent 		[17:17]
jpalmerbtw: did you setup glue yet? did you test it with dig? [17:18]
wallshoti added a host
i think it's glued
but it said could take up to 48 hours for host changes 		[17:19]
jpalmerwhat is your domain name? [17:19]
wallshotand am not sure how to dig for the glue
6-for.me
it's not pointing at my glue yet
it's still using he.net nameservers, since the glue hadn't set yet...
but the nameserver resolves so perhaps i should just switch it now
oooh i totally jacked up the NS entries
didn't change my zone to match when i put he.net nameservers in there
i really am setting this domain up the slow way 		[17:19]
jpalmerI don't see glue records
dig NS 6-for.me @ns.nic.me
brb. 15 mins 		[17:21]
wallshoti suspect because i didn't stick my domain to the glue? [17:22]
jdoeer
you want glue records in your zone file
but glue records for the domain need to be set by your registrar. 		[17:22]
wallshoti created NS Host ns1.6-for.me -> 2607:f2f8:a460::5. but hadn't actually pointed my NS to ns1.6-for.me yet [17:23]
jdoeer
sorry, glue records at the tld's nameservers need to be set by your registrar. 		[17:23]
wallshotyeah, then make them match with AAAA records in my zonefile
and point my NS records at them :)
wallshot gets to updating
i think i see how i typo broke my ipv4 A records
which mighta jacked up digs over ipv4 for ipv6 resolution
pointing ns1.foo.com at an ipv4 that named isn't listening to == good way to break stuff
guess i can bind to that ip until fix propagates
totally explains why it seemed to work when i got in this morning and how i had somehow broken it in minutes
fail on transcribe records from godaddy's dns to he.net's dns 		[17:23]
***shansa has joined #arpnetworks [17:35]
wallshotwin, win, win, discovering ugly typo fixes everything! [17:36]
jdoego team :P [17:38]
jpalmerback [17:51]
wallshotwb! as u can see from scrolling up, i found a typo that was killing my reverse resolution
specifically, if named is bound on .114 and .116, don't type .115 into the A record for ns1.foo.com in the zone file
i already had it as .116 on godaddy so i musta brainfarted or fingerfarted typing out the addresses on he.net 		[17:51]
jpalmeryeh, I mentioned earlier that I thought something else was wrong. good catch
so, I've been trying to get my HE.net tunnel to work correctly on dd-wrt. I get the tunnel up. radvd seems to advertise the space (clients get IPv6 IP's) but I can't ping6 anything beyond the client address of my router. 		[17:52]
wallshotpossible that protocol41 isn't fully implemented across the router?
i failed miserably to get he.net tunnel working over my home router
i tried it on my arpnetworks vps, and it worked right away with the example configuration commands he.net provides for "Freebsd >= 4.4"
so i figured either my router's natting, or firewalling, or something, is jacking up he.net's tunneling. though weather it's a protocol41 incompatibility or something else i have no clue 		[17:56]
jpalmerwell, I'd buy that *if* so many other people wren't having success, OR.. if the tunnel couldn't be brought up directly on my laptop ;) [17:57]
wallshotso i'm still using freenet6 for my laptop's ipv6 from the home network
i'd suspect i overlooked something (since i found no reported problems with using it over nat, except for old routers that don't do protocol41)
cept that it worked right off the bat on my non-nat vps
tho now i do suspect my router
oooh reverse is working gloriously! 		[17:57]
jpalmernice, grats. [18:00]
RandalSchwartzI don't think he.net tunnels use 41
I think it's straight ipv4
it'd have to be, because I can bring up my he.net laptop tunnel pretty much anywhere that I can see the net 		[18:00]
wallshotorly. everything i could find suggested protocol41 would be major cause of failure, but that mighta been random comments about tunneling in general [18:01]
RandalSchwartz41 is where you're using a "nearby" 6-to-4 gateway
and the routers have to cooperate
he.net is strictly "6 in 4"
so all your packets go inside a normal ipv4 tunnel
nobody between here and there is the wiser
usable just about everywhere
but less flexible, because the endpoint is fixed 		[18:01]
wallshotoooh i musta read some misinformation about tunnels failing due to protocol41 not being passed by routers [18:02]
jpalmerok, now I goofed up something :P I can't even ping6 the router. heh [18:02]
RandalSchwartzas in, all my traffic goes to LA regardless of where it will eventually end up [18:02]
wallshotdoh! [18:03]
RandalSchwartzwhereas with proto41, it floods outward until it finds a willing 6-to-4 gateway [18:03]
wallshotoh god
that sounds ... messy 		[18:03]
RandalSchwartzno - it's just a normal set of routes
.. http://en.wikipedia.org/wiki/6in4
oops - not that... http://en.wikipedia.org/wiki/6to4 		[18:03]
wallshotyeah so close but nto quite [18:04]
RandalSchwartzthe trick is that the gateways anycast 192.88.99.1
and the routers pick up whomever's closest
so your nearest router knows the route to the closest 192.88.99.1 ipv4
and then it turns into v6 for the rest of the way
I've been using miredo instead of that
provided I'm not deeply NATed, miredo works fine for casual v6 connectivity
although it's a different v6 each time
often, my miredo trafffic ends up on a nearby he.net gateway. :)
kinda cute
OSX snow leopard comes with miredo already installed too
just need to enable the launchd item 		[18:04]
wallshotdig NS 6-for.me @ns.nic.me <--- is that glue I see, the AAAA records? [18:11]
RandalSchwartzYeah... "additional section"
almost always means "glue" 		[18:12]
wallshotthat's excellent [18:12]
jpalmeryes. BUT.. one problem. [18:12]
RandalSchwartzso presuming ns.nic.me is v6 reachable, you should be good [18:12]
jpalmeryu *only* have AAAA glue. you probably want to also have A glue. [18:12]
RandalSchwartzoh yeah - you need A glue [18:12]
wallshotoooh. that -is- a good idea!
should not neglect ipv4 		[18:12]
jpalmerwell, if you want to be reachable via ipv6 only, you're fine now :P [18:13]
RandalSchwartzone more round of support requests. :) [18:13]
jpalmerRandalSchwartz: ns.nic.me is a TLD for .me [18:13]
RandalSchwartzsure - but it might not support v6
some of the TLDs don't
although most of them are coming around
ns.nic.me has no AAAA record
as I'm saying :) 		[18:14]
jpalmeroh, I see what you're saying. I thuoght you figured ns.nic.me was one of his NS's. chances are good though, if that wasn't ipv6, one of the other ones would be. [18:14]
yekomsdo you all know of the new local root exploit? [18:17]
wallshotc0.cctld.afilias-nst.info. has ipv6
and is on the IN NS for .me list 		[18:17]
RandalSchwartzis there a quick query like "dig ns me" that additionally dumps their A or AAAA? [18:18]
wallshotand b0.cctld.afilias-nst.org. and b2.me.afilias-nst.org. and ... [18:18]
RandalSchwartzoh - yeah, of course afilias is on the ball
one of the biggest users of postgresql in the world :)
I was setting up to do some consulting there for a bit
postgresql and perl 		[18:18]
wallshotdig NS me. <-- worked for me [18:19]
RandalSchwartzroot exploit for which OS [18:19]
wallshotshows 3 AAAA's and 5 A's [18:19]
RandalSchwartzwallshot - that didn't show me the A or AAAA records
probably because you have them cached already or something 		[18:19]
wallshothttp://pastebin.ca/1950053
doubt i had all of them cached
some, probably 		[18:19]
RandalSchwartzwell - when I do that, I get 0 additional [18:20]
yekomsfreebsd [18:20]
RandalSchwartzjust the 8 NS records [18:20]
yekomsit works well on any 7.* and 8.* [18:20]
wallshotmaybe my nameserver is being friendlier [18:20]
yekomsshould h4x any freebsd 8.* and 7.* prior to 12Jul2010 [18:20]
RandalSchwartzbzip2/bunzup2 ... /me sighs [18:20]
yekomsit works on a few of my servers.. [18:21]
wallshoti assume you mean the mbuf advisory [18:21]
yekomscept not my vps from here.. [18:21]
wallshothttp://security.freebsd.org/advisories/FreeBSD-SA-10:07.mbuf.asc [18:21]
yekomsi guess. [18:21]
RandalSchwartzdarn it - I gottta get around to upgrading my 3 older boxes to 8.1 too [18:21]
wallshotwent out july 13 [18:21]
jpalmerwhen you said "new exploit" I thught you meant something newer than 6 weeks ago :P [18:22]
RandalSchwartzno - the bunzip was just a few days ago
... http://security.FreeBSD.org/advisories/FreeBSD-SA-10:08.bzip2.asc 		[18:22]
wallshotrandalschwartz: if i dig NS me. @4.2.2.2, then i don't get extra
try it @208.79.88.7 		[18:22]
RandalSchwartzAhh, I'm using comcast's nameservers. no wonder [18:23]
wallshot(that latter one is arpnet's that my vps defaults to use) [18:23]
yekomswell i just foind it.. [18:23]
RandalSchwartzuh - 208.79.88.7 won't talk to me [18:24]
jpalmerdamn, I dunno what I goofed up, but I still can't ping6 my router. [18:24]
RandalSchwartzno recursion
so I bet it's still cached somewhere for you 		[18:24]
wallshotmaybe it only talks to me from my vps
was running the dig on there 		[18:24]
RandalSchwartzahh!
@74.82.42.42 		[18:25]
wallshot4.2.2.2 was what i used for +trace info to actually show up (my home router 192.168.1.1 wouldn't even do that much) but if 4.2.2.2 isn't dishing out the AAAA/A records, i'm not sure what other nameservers would have that option enabled [18:25]
RandalSchwartzthat's he.net's open recursive server [18:25]
wallshotexcellent! [18:25]
RandalSchwartzand it shows ipv6 for www.google.com
normally you don't get that
or at least, it did at one point. :) 		[18:25]
wallshotyeah i don't seem to be getting that
ipv6.google.com is the only way i know of to force google over ipv6 		[18:26]
RandalSchwartzso ns.nic.me and ns2.nic.me are v4 only [18:26]
wallshotyeah they're lagging back in the 90's [18:26]
shansagoogle enables ipv6 for a few networks it deems reliable enough [18:26]
RandalSchwartzahh - if you ask for aaaa explicitly, it works
... www.l.google.com.168INAAAA2001:4860:8010::67
ugh
tabs :) 		[18:27]
wallshotmy dns don't wanna give it to me even if i dig -t aaaa [18:29]
jpalmeroh, figured out the issue. I logged into the vps.. and can't ping the client side of my tunnel there either. appears the tunnel went down. [18:29]
wallshotgood reason for it to not be available
wallshot validates address and selects tshirt size 		[18:31]
***shansa has quit IRC (Quit: leaving) [18:33]
jpalmerwallshot: whats your score? 1000? [18:33]
wallshotnot even
i hit sage with a score of like 500
then i found all the extra tests
so i took them
then i did 1 each of the daily tasks
and am at 905 now 		[18:33]
jpalmerhmm. you're missing something then [18:34]
wallshotand i feel something's missing
cuz 5 daily tasks * 99 is 495 or so more points from those
that's 1400 points. 100 is missing :/
http://ipv6.he.net/certification/scoresheet.php?pass_name=jprather 		[18:34]
RandalSchwartzI stopped at 1024 [18:35]
wallshothaha nice [18:35]
RandalSchwartzjust because the rest is just busy works [18:35]
wallshotyeah the 1 a day thing [18:36]
RandalSchwartzI could script it, but who cares [18:36]
wallshotu do it for 2 days and u got the hang of it [18:36]
RandalSchwartzI did it for 5
then realized it's just a pain to keep finding new v6 domains
that also have to be on different subnets 		[18:36]
wallshotwallshot compares 1500 score to his to see what's missing
i'm missing nothing from this 1500 score
is it possible he.net math is jacked?
wallshot adds up this 1500's points 		[18:36]
jpalmeryour score is 1005 right now. [18:37]
wallshotmy page not refreshed?
that explains the missing 100 points! 		[18:37]
jpalmerRandalSchwartz: http://sixy.ch [18:38]
wallshoti'm all about missing what's right in front of my face today [18:38]
RandalSchwartzoh wonderful. updating ports today upgrades emac :)
emacs 		[18:38]
wallshotsee i just don't install emacs, so i never have to update it [18:38]
RandalSchwartzthat'll be a while :)
hey - go see my interview about emacs org-mode 		[18:39]
wallshotsometimes i feel i'm missing out, but mostly, i'm happy with it [18:39]
RandalSchwartzpeople are switching to emacs *just* for org-mode [18:39]
wallshotall editors need orgy mode [18:39]
RandalSchwartztwit.tv/floss136 [18:39]
wallshotinteresting [18:39]
RandalSchwartzor here's carsten at a google tech talk - http://www.youtube.com/watch?v=oJTwQvgfgMM [18:40]
jpalmerRandalSchwartz: I scripted it, I'll let crontab take me to 1500 :P
more correctly.. someone else scripted it. I just copied, pasted, and crontabbed. 		[18:41]
wallshotis that guy wearing his sunglasses indoors? [18:41]
jpalmeronly two people wear sunglasses indoors. blind people and assholes. [18:41]
wallshotmaybe they're corrective lenses that are just dark
haha
oh
wow i'm insensitive
as i see a kid lead him back to his seat
and realize he may actually be blind
google == lies!
"The only truly portable format, read and edit anywhere" 		[18:42]
jpalmerwallshot: one of the guys I work with was speacking at cluecon a year or two ago.. (thats actually his quote) he was drinking one night after his talk.. there was a guy in the bar with sunglasses on.. [18:43]
wallshotrtf is damn close!
tho console won't show rtf nicely, i confess
it's a pretty accurate quote 		[18:43]
jpalmerhe waled up to the guy, took his arm, and asid "I'll help you to your chair" the gey goes "get off me!" kris said "the only people that wear glasses indoors are blind people and assholes. I guess we know which one we;re dealing with here" [18:44]
wallshothahahaha [18:44]
jpalmerholy crap, can't type on this MBP keyboard. [18:44]
wallshotthat's great
i'm heading out for the night
thanks for all the tips! 		[18:44]
jpalmernight man [18:46]
wallshotand good luck with routing that he.net tunnel, jpalmer!
guessing less hassle once tunnel isn't down :) 		[18:46]
jpalmerI'm not sure why it's actually down yet. but I'm beat. I may let it go until tomorrow. [18:47]
wallshotthat always helps. then u find a ipv4 typo somewhere and facepalm like i did today
cya guys! 		[18:50]
***wallshot has quit IRC (Quit: Leaving.) [18:50]
.......... (idle for 46mn)
yekoms has quit IRC (Ping timeout: 245 seconds) [19:36]
....... (idle for 34mn)
awyeah has joined #arpnetworks [20:10]
awyeahRandalSchwartz - heh. emacs. [20:10]
........................ (idle for 1h55mn)
***smokey_ has joined #arpnetworks [22:05]
.... (idle for 19mn)
smokey_ has quit IRC (Quit: Leaving) [22:24]
↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)