91.192/10 to be used for PI assignments to End Users

Dear Colleagues,

At recent RIPE Meetings, we have reported a steady rise in requests from
our members for Provider Independent (PI) address space for End User
networks. We have reclaimed and recycled space from closed Local
Internet Registries to meet this demand, but we are nearing the point
where the available PI space will run out.

In the past, we made PI assignments from former Class C space (193/8 and
194/7). Because of the increasing demand for PI space, we made sure that
we would be able to use some of our most recent allocation of address
space to meet future requests. We have designated 91.192/10 for PI
assignments to End User networks.

When the former Class C space is exhausted, we will start to make PI
assignments from 91.192/10. We will let you know when this happens. We
are announcing a pilot prefix using the RIS beacons, you may want to
update any filters that you have in place.

The RIS beacons are announcing the following networks:

91.192.0.0/24
91.192.0.0/16

You can ping 91.192.0.1. Full details of reachable IP addresses and tools are available on our web site at:

http://www.ris.ripe.net/debogon/debogon.html

Regards,

Any link to the slides which might contain the expected increase for the
coming years? Especially the estimated number of routes that will newly
be announced using BGP because of this would be something nice to see.

Greets,
Jeroen

Hi Jeroen,

Jeroen Massar wrote:

It is not VeriSign this time.

For those who have not yet seen this:

http://www.opendns.com/

They will 'correct' your spelling mistakes for you.

From their FAQ:

This is nothing like Verisign's SiteFinder service.

OpenDNS is a product a customer -chooses- to use. There really is no comparison.

Gerry Boudreaux wrote:

It is not VeriSign this time.

For those who have not yet seen this:

http://www.opendns.com/

They will 'correct' your spelling mistakes for you.

I think the openDNS approach is far different from the Verisign sitefinder debacle if only for the important reason that using openDNS is voluntary and using sitefinder wasn't.

Also, sitefinder created a wildcard DNS record where none existed before, breaking all kinds of applications in the process, openDNS doesn't do this.

So at the end of the day, people are FREE to decide what resolvers to use and whoever comes along to offer their idea of "value adds" can go right ahead without borking the internet.

Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this.

-mark

Gerry Boudreaux <gerry@tape.net> writes:

It is not VeriSign this time.

It is not even remotely the same as SiteFinder either. It requires
people to make a conscious decision to use different nameservers than
the ones they're currently using, and is likely to get the same or
less level of traction as the alternative roots have. Since it's
completely opt-in, people can feel free to ignore it, as I shall.
Sure would have been nice to be able to simply ignore Sitefinder.

For those who have not yet seen this:

http://www.opendns.com/

They will 'correct' your spelling mistakes for you.

yawn.

                                        ---rob

For those who have not yet seen this:
http://www.opendns.com/
They will 'correct' your spelling mistakes for you.

I'm happy to answer any and all questions off-list but I want to point out one aspect that hasn't quite been messaged correctly. A big point being missed is the addition of "if you want."

We have written this as a recursive dns service that can do different things to different IPs. You quote from our FAQ but you leave out the cluefull parts of the FAQ so this is one that's important:

How do I turn off phishing protection or typo correction?

If you want to use OpenDNS but do not want phishing protection and/or typo correction, you may ask us to disable that protection for you.
Currently, setting these preferences requires an OpenDNS team member. In the future, you may manage this preference yourself, if registered. Registration will be free, and not required to use the service. This preference will be offered first for members with a static IP address, and then for those with dynamic IP addresses.

So if you want standard NXDOMAIN, that's fine. Happy to do it. Different strokes for different folks. That's the whole idea.

We're not new at this, or looking to make a quick buck by annoying you with ads. I recommend giving it a try and letting me know your thoughts. The idea of both building an intelligent recursive dns server and a recursive DNS service are both a long time in the making and make a lot of sense. Perhaps we can work on our messaging to more technical audiences.

Best,
David Ulevitch

Gerry,

I sat on the Security and Stability committee for ICANN and was part of the folks that reviewed SiteFinder.

OpenDNS is not SiteFinder; Give them a try, the DNS resolution is blazing fast and they do fix up the most common typos.

One thing massively different between openDNS and SiteFinder is that you have choice -- the choice to use them. IMHO many will choose to use OpenDNS because it is fast and can offer protections you just can't get from running your own resolver.

best,

-rick

Gerry Boudreaux wrote:

* markjr@easydns.com (Mark Jeftovic) [Mon 10 Jul 2006, 15:55 CEST]:

I think the openDNS approach is far different from the Verisign sitefinder debacle if only for the important reason that using openDNS is voluntary and using sitefinder wasn't.

Correct. OpenDNS is not abusing a monopoly position here.

Also, sitefinder created a wildcard DNS record where none existed before, breaking all kinds of applications in the process, openDNS doesn't do this.

Wrong. Asking their "big caching nameserver" for gibberish returns "IN A 208.67.219.40" instead of NXDOMAIN. Same breakage occurs, although they return NXDOMAIN instead of NOERROR when queried about MX or AAAA records, so ironically damage for IPv6-enabled applications is limited.

They seem to be using Yahoo! as search engine there.

220 reject.opendns.com - OpenDNS Mail Rejection Service 1.2 (No mail accepted here)

Remind you of anything - what was it called, chuck? It's already broken.

So at the end of the day, people are FREE to decide what resolvers to use and whoever comes along to offer their idea of "value adds" can go right ahead without borking the internet.

Several people have eloquently expressed why creating different views of a global namespace is a bad idea before on this mailing list.

Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this.

Have you switched your company over yet?

Regards,

  -- Niels.

Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this.

Have you switched your company over yet?

yes, and the thing that pisses me off, is that it does seem faster.

-rick

* wessorh@ar.com (Rick Wesson) [Mon 10 Jul 2006, 21:08 CEST]:

Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this.

Have you switched your company over yet?

yes, and the thing that pisses me off, is that it does seem faster.

With 170ms to their resolvers I doubt it'll be much of an improvement for me...

  -- Niels.

Niels Bakker wrote:

Also, sitefinder created a wildcard DNS record where none existed before, breaking all kinds of applications in the process, openDNS doesn't do this.

Wrong. Asking their "big caching nameserver" for gibberish returns "IN A 208.67.219.40" instead of NXDOMAIN. Same breakage occurs, although they return NXDOMAIN instead of NOERROR when queried about MX or AAAA records, so ironically damage for IPv6-enabled applications is limited.

I stand corrected, however this is not as big a deal as when sitefinder did it because as we've both observed, this is voluntary. If using this breaks your application, don't have your application use it, with sitefinder you didn't have the choice.

For it's target market: end user DNS resolution, the side effects will be minimal if anything.

Several people have eloquently expressed why creating different views of a global namespace is a bad idea before on this mailing list.

I don't consider this a different view of the global namespace. If they decide to add ORSC root glue or New.net domains then it'll be a different view of the global namespace. Hopefully they wouldn't be that reckless.

Have you switched your company over yet?

They way we run our applications doesn't lend itself to using it (it's that choice thing again), but I've got a few workstations using it and one of my laptops. It's also a handy offsite resolver to use to check DNS settings from outside our own cloud.

We also get asked our members if there is a viable resolver they can use and we'll be happy to recommend this.

-mark

a message of 49 lines which said:

OpenDNS is not SiteFinder; Give them a try, the DNS resolution is
blazing fast

For the typical NANOGer, yes, but remember that the Internet is larger
than that. From France, the RTT is very poor (more than 200 ms),
whatever the speed of their application.

hurrah cause obviously everything in the world using dns is a browser?
As a note, some other folks do this as well:

www.paxfire.com
nominum perhaps as well?

Seems really, really dumb to me, since everything is NOT (surprised?) a
web browser I wonder what happens when it tries to correct my enum
dns requests? Be cautious that some largish provider's dns cache's might
be doing this as well 'soon' despite engineering folks saying 'gosh that
seems like a very poor plan...'

'fun'!

Christopher L. Morrow wrote:

Seems really, really dumb to me, since everything is NOT (surprised?) a
web browser I wonder what happens when it tries to correct my enum
dns requests? Be cautious that some largish provider's dns cache's might
be doing this as well 'soon' despite engineering folks saying 'gosh that
seems like a very poor plan...'

'fun'!

All of the arguments I've heard against this idea today apply well and good to the context of a sitefinder, but the simple fact that this is an application oriented enhancement to DNS resolvers fall on deaf ears.

David has already responded that people can configure their resolver service to return NXDOMAINs instead and nobody here has acknowledged it.

The more I see people laugh at this, the more I'm convinced this idea has legs.

(and if anybody is wondering, I have no affiliation with it.)

  I just see a lot of the grief caused by phishers, and alot of the spam crap sites clogging the net and it's nice to see somebody taking a fresh approach, doing something about it and adding another avenue of mitigation to the equation.

-mark

(P.S. One of the reasons I'm behind this so much is because David has been a long time participant in the DNSbl.org project and I know he's a "white hat" DNS guy trying to fight the good fight, so when I look at this project, I see Dave's track record behind it.)

I stand corrected. After reading further, it does appear to provide a useful service that many will find meets/exceeds their needs..

Thanks

I'll demur --- I don't much like it, for several reasons.

The first is that it *does* present a different view of the One True
Tree. I've been saying for years -- among other things, in the context of
Sitefinder, alternate roots, and other things -- that the DNS was designed
under the assumption that there's one namespace. Anything that presents
different results will result in confusion.

The second is the precedent that's set -- who gets to decide what zones
are excluded from the tree? OpenDNS? Sure -- and to whom do they
listen? Are any sites to be ruled out on political grounds?
Ideological? Not today, sure, and (I assume) not by OpenDNS -- but what
if some misguided legislature passes some law? Bear in mind that *by U.S.
law*, libraries that receive federal funding *must* install certain kinds
of filters.

The third is that not all the world is a web site. I send email, do IM,
ftp, ssh, SIP, imaps, pop3s, and assorted other weird protocols. (I'm
having trouble doing SIP from my hotel tonight. I wonder if that's a
coincidence. The server worked just fine from the IETF venue a few hours
ago.) OpenDNS, like Sitefinder before it, is optimized for web users.

A fourth is that most consumers don't have a realistic choice; they use
whatever DNS server their ISP gives them. Furthermore, they have little
choice of ISP. In the U.S., people are lucky if they have two choices,
DSL from the local monopoly telco or cable modem service from the local
monopoly cable TV company. You might not like the service; you may get it
anyway. (Yes, I read their instructions how individuals can start
using the service. I frankly don't believe that that will happen at a
large enough scale to make a viable business.) This doesn't apply, of
course, to corporate decisions regarding the employee experience, but that
doesn't strike me as the market this is aimed at. (Their privacy policy
appears decent, but I couldn't tell if they build up user profiles which
they use for their ads. The Privacy Policy didn't seem to say, one way or
another; the Terms of Service requires accurate registration instructions,
which is sometimes done for profile-based advertising. I can't tell, nor
do I know what they can or can't "look our mothers in the eye about", to
use their phrase.)

Fifth, the service doesn't work properly in the presence of DNSsec. They
can't return proper NXT records, nor can they realistically sign their own
responses except for certain *very* common typos.

Yes, this is better than Sitefinder, because it's not forced on the entire
Internet. However, it shares many of the same flaws.

I'll demur --- I don't much like it, for several reasons.

[SNIP - several good points.]

Yes, this is better than Sitefinder, because it's not forced on the entire
Internet. However, it shares many of the same flaws.

I'm not going to use the service either, but for different reasons than you state. And it does have "many of the same flaws" as Sitefinder.

But Sitefinder had only one fatal flaw: The Lack Of Choice.

Obviously that flaw is not shared.

Of course, everyone should feel free to espouse their opinions on the service, and use it or not, and try to persuade others to use it or not. But just like any other service, software, protocol, or other _optional_ choice in running your network (or home computer), we will just have to let the market decide. Chances are, there's enough Internet to go around for everyone, whether they use the service or not.

* Steven M. Bellovin:

The second is the precedent that's set -- who gets to decide what zones
are excluded from the tree? OpenDNS? Sure -- and to whom do they
listen? Are any sites to be ruled out on political grounds?
Ideological? Not today, sure, and (I assume) not by OpenDNS -- but what
if some misguided legislature passes some law?

And how is real DNS any different? Even in Western democracies, ISPs
can be forced to suppress zones on their resolvers.

There are profound privacy issues with centralized, opt-in DNS
resolvers, but they can probably be resolved satisfactorily. But I'm
definitely the wrong guy to argue in favor of DNS-related privacy
(although I try very hard to make it impossible to link DNS queries
and responses to particular users).

Apart from that, I hope that services like this one (coupled with
tactical null routes) becomes more important to consumers. More
competition on network-based security measures will help to protect
them from (technically) harmful content. In some collapsed consmer
markets, it might enable ISPs to charge extra fees and compete on
these additional services, avoiding a complete meltdown of the market
and a return to an oligopoly.