Dns-operations mailing list

[Hunter 9999 <mail AT hunter-9999.de>]

I think the T2-list in the wiki should contain the information for every T2, 
if it uses whitelisting or not.
What do you think?
Or would this redirect the attacks by auto-render the wiki-page to the not 
whitelisting T2s?
Whats about setup- and config-instructions for users of whitelisting servers?
Would you inform the user about the whitelisting bevore or after choosing an 
whitelisting server?


-- 

Mit freundlichen Grüßen

Hunter 9999

http://www.piratenpartei.de/
Diese Partei sollte in einer Demokratie überflüssig sein!
Schade, dass es anders ist!

> Am 10.02.2014 um 19:52 schrieb Jeff Taylor <shdwdrgn AT sourpuss.net>:
> 
> As some of you have heard, I have been working on whitelisting functions to 
> counter the attacks we have been seeing on the public servers.  I believe 
> we have all the tools in place to start using this feature, although there 
> is still some issues that need to be resolved.
> 
> *** Tools ***
> There are two API tools available.  Both require a username and 
> authentication key.  This key is not connected to your password, it is a 
> randomly-generated string.  If you ever feel this has been compromised, you 
> can contact me directly and I will generate a new auth key for you.
> 
> T2 operators can log into the members page and you will see a 'wget' line 
> that you can use to retrieve an ACL file suitable for BIND. (If any other 
> formats are desired, please contact me.)  This file is updated every 15 
> minutes, and contain three sections: opennic_T1 (T1 servers), opennic_T2 
> (T2 servers), and opennic_whitelist (whitelisted users).  I may also add a 
> section for opennic_blacklist later on if we need to.
> 
> Users can log into the members page and view a similar 'wget' line which 
> will register the IP address they are currently using.  There are some 
> additional commands that can be performed in this wget statement that are 
> not listed...
> -- After the user and auth parameters, you may individually specify exact 
> IPs that you wish to whitelist.  These may also include netmasks.  So for 
> example, you may specify a line such as:
> ?user=<username>&auth=<authkey>&8.8.8.8&4.4.4.4/31
> Note there is no variable name specified, the IPs just go directly after 
> each & symbol.  Netmasks must be specified in CDIR format.  IPv6 addresses 
> are also accepted.  If you specify an IP in this manner, the IP you are 
> making the call from is NOT included. You may not list more than 10 IPs.  
> The netmask may not be any larger than a /28.
> 
> -- You may also purposely delete IPs from the whitelist.   As above, 
> specify the IP(s) as part of the URL, but preceed each with a minus (-) 
> symbol, like this:
> ?user=<username>&auth=<authkey>&-8.8.8.8&-4.4.4.4
> Note that when you are deleting an IP, you do not need to specify the 
> netmask.  ONLY T1 and T2 operators may access this data.  The info supplied 
> will only list the actual IP addresses, never any usernames.  Even so, 
> please keep this information secure to protect our users privacy.
> 
> For either of the wget tools, you may also just visit the URL directly (you 
> will have to accept the SSL cert warning).  The ACL page is formatted with 
> <pre> tags, and the IP update page is plaintext using <br> for linefeeds.
> 
> 
> *** Issues ***
> -- The SSL cert is currently self-signed.  We will get an official cert to 
> use when possible.  In the meantime, the "wget --no-check-certificate" 
> option is being used to ignore the warning, although the data is still 
> encrypted over SSL.
> -- The wiki usernames are not directly tied to the LDAP records. This is 
> still a work in progress, and we will get this resolved eventually.  If 
> your wiki username does not work as a t2operator login, please let me know.
> -- There are no T1 operator accounts yet.  If you need one created, let me 
> know and I'll give you the procedure to get an account registered.  T1 
> operators may wish to use the server list ACLs to control access, such as 
> restricting AXFR requests to everything but the root zone?
> 
> 
> ----
> To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org