Why does an hostname of an isolated system need to be resolved in a world wide DNS? It has no connection to the internet via the gw or to the tunnelling system, so that DNS resolution will allways lead to an unreachable host.
Because there really is no relation between IP allocation and routing.
For example, back in the days when we ran a lowspeed IP packet network here and in surrounding countries (1987-2003 or thereabouts), it was strictly forbidden in the regulations to have a connection between a radio station and a public communication line. We had thousands of stations active but none reachable from internet. hostfiles were used instead of DNS, but the information in the hostsfiles was always replicated to the public DNS, to indicate what addresses are allocated to whom. Also, it would have been possible (had the software on the typical station supported it) to download a zonefile and use it offline.
Now that we have linking over- and to internet, we are in fact still doing that. Our gateway downloads the zonefile from hamradio.ucsd.edu daily, and loads it in a local DNS server on 44-net, only reachable from the radio side. So even when we lose our internet connection, we can still resolve .ampr.org addresses as they were valid just before the breakdown.
I don't think that "reachable from the internet" or "reachable from net-44 systems that tunnel over internet" should be a criterion for being in the .ampr.org DNS. (this does not even consider that there may be firewalls that make it impossible to detect for outsiders that a system is connected, while the system itself can perfectly make outgoing connections)
Rob
Tnx for the explanation Rob.
But it is still a simple step to register that subnet in the portal and have all issues solved.
-----Original Message----- From: Rob Janssen Sent: Monday, February 08, 2016 11:12 To: 44net@hamradio.ucsd.edu Subject: Re: [44net] DNS cleanup
... Because there really is no relation between IP allocation and routing.
Hello,
Why not to convert the DNS to LDAP database with few more attribute like owner, last date of activity ,state ( active/suspend) and more as you need. there are script that convert LDAP attribute to DNS file and only record that have active state will reflect in the dns.
other script will check one a month\year if the address is in use, if not he will set date in the lastactive record and after 6 month will set it to in suspend. on the next dns update the reccord will be delete from the dns but still be in the portal, after few month if the owner will not claim it the address will set free.
also it's will give the option to import to the LDAP all record that are in the DNS with a suspend state and when someone will claim they will automatically sync to the DNS. Just an idea.
Regards, Tal, 4z7tal
On Mon, Feb 8, 2016 at 11:12 AM, Rob Janssen pe1chl@amsat.org wrote:
(Please trim inclusions from previous messages) _______________________________________________
Why does an hostname of an isolated system need to be resolved in a world wide DNS? It has no connection to the internet via the gw or to the tunnelling system, so that DNS resolution will allways lead to an unreachable host.
Because there really is no relation between IP allocation and routing.
For example, back in the days when we ran a lowspeed IP packet network here and in surrounding countries (1987-2003 or thereabouts), it was strictly forbidden in the regulations to have a connection between a radio station and a public communication line. We had thousands of stations active but none reachable from internet. hostfiles were used instead of DNS, but the information in the hostsfiles was always replicated to the public DNS, to indicate what addresses are allocated to whom. Also, it would have been possible (had the software on the typical station supported it) to download a zonefile and use it offline.
Now that we have linking over- and to internet, we are in fact still doing that. Our gateway downloads the zonefile from hamradio.ucsd.edu daily, and loads it in a local DNS server on 44-net, only reachable from the radio side. So even when we lose our internet connection, we can still resolve . ampr.org addresses as they were valid just before the breakdown.
I don't think that "reachable from the internet" or "reachable from net-44 systems that tunnel over internet" should be a criterion for being in the .ampr.org DNS. (this does not even consider that there may be firewalls that make it impossible to detect for outsiders that a system is connected, while the system itself can perfectly make outgoing connections)
Rob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Mon, Feb 08, 2016 at 12:26:19PM +0200, Tal Raveh wrote:
Why not to convert the DNS to LDAP database with few more attribute like owner, last date of activity ,state ( active/suspend) and more as you need. there are script that convert LDAP attribute to DNS file and only record that have active state will reflect in the dns.
Where do we get the data to fill in those attributes? - Brian
from the portal and few of them result of the automatic script.
Regards, Tal
On Mon, Feb 8, 2016 at 5:19 PM, Brian Kantor Brian@ucsd.edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Mon, Feb 08, 2016 at 12:26:19PM +0200, Tal Raveh wrote:
Why not to convert the DNS to LDAP database with few more attribute like owner, last date of activity ,state ( active/suspend) and more as you
need.
there are script that convert LDAP attribute to DNS file and only record that have active state will reflect in the dns.
Where do we get the data to fill in those attributes? - Brian
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Mon, Feb 08, 2016 at 05:22:48PM +0200, Tal Raveh wrote:
from the portal and few of them result of the automatic script.
The portal doesn't have that information yet. It doesn't exist.
That's what this whole exercise is about, getting that information and storing it into the portal. After that, we can consider changing databases if there's a good reason to do so. - Brian
On Mon, Feb 8, 2016 at 7:29 AM, Brian Kantor Brian@ucsd.edu wrote:
On Mon, Feb 08, 2016 at 05:22:48PM +0200, Tal Raveh wrote:
from the portal and few of them result of the automatic script.
The portal doesn't have that information yet. It doesn't exist.
That's what this whole exercise is about, getting that information and storing it into the portal. After that, we can consider changing databases if there's a good reason to do so. - Brian
Like you've said, this is probably not the right place or time to discuss the choice of database. However, I just want to go on the record to say that I really *really* like that idea of using LDAP for this purpose.
Since LDAP is standards based, every language you can think of has libraries for reading from or writing to it. It would make future tools based on the data very easy to create and negates the need to expose a portal API. The portal would just be another one of the tools talking to LDAP, but with more write privileges than most.
Availability would also be greatly improved as the "master" LDAP controlled by Brian could propagate changes to any number of read-only copies hosted by various networks all over the world (just like DNS servers with a hidden master). For example, once we have a whois service up and running, we can simply point each whois server at its own read-only LDAP copy so traffic doesn't impact the master.
Certificate authentication is also possible with LDAP which means it's likely we'd be able to support use-cases where updates need to be made securely over a RF link without using encryption to create a private channel for a password.
</End rant style geek-out on LDAP> ;)
Hi there Im playing with CISCO PIX I got as a donation for our group it has a VPN and I know that our ipip (protocole4 )is a non encrypted VPN Does anyone know if PIX support it and can serve as a Gateway ? Im not so familiar with the command set (im more into the CISCO routers but i saw something like vpn tunnel and vpn clear somewhere in the vpnclient command ...
Thanks for any info Regards Ronen - 4Z4ZQ http://www.ronen.org
On Mon, 8 Feb 2016, R P wrote:
Im playing with CISCO PIX I got as a donation for our group it has a VPN and I know that our ipip (protocole4 )is a non encrypted VPN Does anyone know if PIX support it and can serve as a Gateway ? Im not so familiar with the command set (im more into the CISCO routers but i saw something like vpn tunnel and vpn clear somewhere in the vpnclient command ...
You're looking for a GRE tunnel or IPIP tunnel.
http://www.cisco.com/c/en/us/tech/ip/ip-tunneling/tech-configuration-example...
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager
Ronen, The PIX doesn't support gre tunnels to the best of my knowledge (pix code 6.35), and even with some of the newer ASA codes (7.0 and above) I don't think unencrypted GRE is an option. You can only configure physical interfaces. Cisco IOS is the only platform that supports GRE, and from experience using IOS routers the configuration maintenance to keep up with the changes in the AMPR list is best left to a scripted process or RIPd on linux. 73, KY9J
On 2/8/2016 1:58 PM, R P wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi there Im playing with CISCO PIX I got as a donation for our group it has a VPN and I know that our ipip (protocole4 )is a non encrypted VPN Does anyone know if PIX support it and can serve as a Gateway ? Im not so familiar with the command set (im more into the CISCO routers but i saw something like vpn tunnel and vpn clear somewhere in the vpnclient command ...
Thanks for any info Regards Ronen - 4Z4ZQ http://www.ronen.org
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Mon, 8 Feb 2016, Cory (NQ1E) wrote:
Like you've said, this is probably not the right place or time to discuss the choice of database. However, I just want to go on the record to say that I really *really* like that idea of using LDAP for this purpose.
+1
Tim Osburn 080-4633-4671 http://www.m2os.com W7RSZ / JG1MBR
On Mon, 8 Feb 2016, Cory (NQ1E) wrote:
Availability would also be greatly improved as the "master" LDAP controlled by Brian could propagate changes to any number of read-only copies hosted by various networks all over the world (just like DNS servers with a hidden master). For example, once we have a whois service up and running, we can simply point each whois server at its own read-only LDAP copy so traffic doesn't impact the master.
This is good.
Certificate authentication is also possible with LDAP which means it's likely we'd be able to support use-cases where updates need to be made securely over a RF link without using encryption to create a private channel for a password.
This is better. I am sold. OTOH, there is DNSSEC and other sort of things already in DNS, as well as TXT fields. The caveats would be information that needs to be kept hidden or suppressed, or stored/processed as XML before being exported to zone file and the DNS master kicked.
This is more of a matter to the internals of the portal application / interface than DNS itself.
While certainly useful to have an "offline copy" if the WAN link is down, DNS already has mechanisms to handle things such as TTL.
But alternatively, should one www node go down, it is useful to have others to fall back on.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager
-
Brian Kantor -
Cory (NQ1E) -
Jason R Begley -
Kris Kirby -
Marius Petrescu -
R P -
Rob Janssen -
Tal Raveh -
Tim Osburn