- NZNOG - lists.nznog.org

Spoofer Report for NZNOG for May 2025
by CAIDA Spoofer Project 08 Jun '25

08 Jun '25

In response to feedback from operational security communities, CAIDA's source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address. We are publishing these reports to network and security operations lists in order to ensure this information reaches operational contacts in these ASes. This report summarises tests conducted within nzl. Inferred improvements during May 2025: none inferred Source Address Validation issues inferred during May 2025: ASN Name First-Spoofed Last-Spoofed 9500 VODAFONE-TRANSIT 2025-03-19 2025-05-29 Further information for these tests where we received spoofed packets is available at: https://spoofer.caida.org/recent_tests.php?country_include=nzl&no_block=1 Please send any feedback or suggestions to spoofer-info(a)caida.org

1 0

InternetNZ - DNSSEC ZSK Standby Chain Rollover
by Felipe Barbosa 05 Jun '25

05 Jun '25

InternetNZ will begin a DNSSEC Zone Signing Key rollover in our current standby chain. This should not affect the active chain used in DNS resolution for .nz. The status and scheduling will be posted to status.internetnz.nz. This will consist of two maintenance windows, in each window we will pause zone distribution to make changes, perform validation, and resume zone distribution for the following zones: nz, ac.nz, co.nz, cri.nz, geek.nz, gen.nz, govt.nz, health.nz, iwi.nz, kiwi.nz, maori.nz, mil.nz, net.nz, org.nz, parliament.nz, and school.nz The first change window is on the following link: https://status.internetnz.nz/incidents/dgmt15cqy4r7 For questions or issues please contact registry(a)internetnz.net.nz, for updates please subscribe to the IRS Production > Zone Publish component of status.internetnz.nz -- Ngā mihi Felipe Agnelli Barbosa DNS Specialist InternetNZ | Ipurangi Aotearoa We are the home of .nz and we work for an Internet that benefits all of Aotearoa. www.internetnz.nz GPG: 95C1 8BDC EFA7 9CAC 303D 003E A058 2449 D152 8580

1 1

Call for Papers - APNIC 60
by Christopher Hawker 31 May '25

31 May '25

Hello everyone, The APNIC 60 Program Committee (PC) is seeking presentations for the APNIC 60 conference in Da Nang, Viet Nam. The three conference days will be held from 9 to 11 September 2025. We are looking for content that would suit technical sessions, tutorials, lightning talks, BoFs and panel discussions. APNIC 60 conference registration is free for selected speakers. Topics for conference sessions must be relevant to Internet operations and technologies. The following topics are examples of possible areas of interest. * IP core network routing, switching * IPv6 deployment and transition technologies * Access and transport networks including Cable/DSL, LTE/5G/6G, wireless, metro ethernet, fibre, segment routing * Cyber security, network security issues (NSP-SEC, DDoS, Anti-Spam, Anti-Malware) and BCPs * Software defined networking, network function virtualization and network automation * Content & service delivery (Multicast, Voice, Video, Telepresence, Gaming) and cloud computing * DNS / DNSSEC and RPKI * IXPs and Peering * Internet of Things (IoT) architectures, standards, services, security, addressability, and manageability * Smart Cities architecture, security, and addressing * Research on Internet operations and deployment * Quantum computing * AI in network operations Presentations are expected to last 20 minutes, and tutorials are expected to last 90 minutes. It's acceptable to submit a talk you've already given or have submitted to another conference. If you would like to submit a presentation, head over to https://submission.apnic.net/user/login.php?event=222. The final deadline for submissions is Monday 30 June 2025. More information can be found on https://conference.apnic.net/60/program/callforpresentations/index.html. If you have any questions or concerns, please do feel free to send an email to the Program Committee at apnic-pc(a)apnic.net<mailto:apnic-pc@apnic.net>. ----- Regards, Christopher Hawker On behalf of the APNIC 60 Program Committee

1 0

Spoofer Report for NZNOG for Apr 2025
by CAIDA Spoofer Project 08 May '25

08 May '25

In response to feedback from operational security communities, CAIDA's source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address. We are publishing these reports to network and security operations lists in order to ensure this information reaches operational contacts in these ASes. This report summarises tests conducted within nzl. Inferred improvements during Apr 2025: none inferred Source Address Validation issues inferred during Apr 2025: ASN Name First-Spoofed Last-Spoofed 9500 VODAFONE-TRANSIT 2025-03-19 2025-04-29 Further information for these tests where we received spoofed packets is available at: https://spoofer.caida.org/recent_tests.php?country_include=nzl&no_block=1 Please send any feedback or suggestions to spoofer-info(a)caida.org

1 0

Fwd: [dns-operations] OARC 45 Call for Contributions
by Felipe Barbosa 30 Apr '25

30 Apr '25

Forwarding on behalf of OARC. -- Ngā mihi Felipe Agnelli Barbosa DNS Specialist InternetNZ | Ipurangi Aotearoa We are the home of .nz and we work for an Internet that benefits all of Aotearoa. www.internetnz.nz GPG: 95C1 8BDC EFA7 9CAC 303D 003E A058 2449 D152 8580 ---------- Forwarded message --------- From: Cathy Almond <cathya(a)isc.org> Date: Wed, Apr 30, 2025 at 1:45 PM Subject: [dns-operations] OARC 45 Call for Contributions To: <dns-operations(a)lists.dns-oarc.net> The OARC 45 workshop Call for Contributions is now open! This workshop will be a hybrid event. Date - 7-8 October 2025 Location - Stockholm, Sweden Time - Approx 10:00 CEST (08:00 UTC) - 17:00 CEST (15:00 UTC) Adjacent to Netnod Tech Meeting 2025 (9 October 2025) (https://www.netnod.se/netnod-tech-meeting-2025) Deadline for Submissions - 2025-07-29 23:59 UTC https://indico.dns-oarc.net/event/55/abstracts/ All DNS-related subjects and discussion topics are welcome although we're particularly keen to hear more about operational and security related experiences, best practices and practical advice; both for newcomers to the DNS arena and those who have been around for longer who want to learn more about new features and opportunities to improve resilience, security and privacy. (These topics we think will complement the usual high-quality data-based research submissions we always hope to receive!) If you have something interesting to share with the community that lies outside of the focus above, please don't be put off - if it's good, we'll be happy to include it. If you'd like to offer a talk, but are not quite sure what to pick, here's a non-exhaustive list of ideas: 1. Operations & Deployment Configuration management, deployment processes, and interoperability experiences. Tools, tips, and making effective use of DNS software features. 2. Performance, Resilience & Scaling Provisioning, load-balancing, and planning for resilience. DNS performance management, efficiency improvements, and metrics. Monitoring infrastructure: log pipelines, analytics, and anomaly detection. 3. Security, Privacy & Policy DoS attacks, DNS abuse, DNSSEC signing and validation. Privacy considerations, for example: encrypted transport, qname minimization, data anonymization. Relevant global and regional policies, legislation, and compliance. 4. Research & Innovation Data-driven testing, measurement, and analysis. New protocols, protocol extensions, and next-generation namespace management. 5. Lessons & Learnings Outage experiences, recovery stories, and cautionary tales For further details please see https://www.dns-oarc.net/oarc45 Cathy Almond, for the DNS-OARC Programme Committee _______________________________________________ dns-operations mailing list dns-operations(a)lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

1 0

InternetNZ - DNSSEC ZSK Standby Chain Rollover
by Felipe Barbosa 28 Apr '25

28 Apr '25

InternetNZ will begin a DNSSEC Zone Signing Key rollover in our current standby chain. This should not affect the active chain used in DNS resolution for .nz. The status and scheduling will be posted to status.internetnz.nz. This will consist of two maintenance windows, in each window we will pause zone distribution to make changes, perform validation, and resume zone distribution for the following zones: nz, ac.nz, co.nz, cri.nz, geek.nz, gen.nz, govt.nz, health.nz, iwi.nz, kiwi.nz, maori.nz, mil.nz, net.nz, org.nz, parliament.nz, and school.nz The first change window is on the following link: https://status.internetnz.nz/incidents/wh80pfs8w3z2 For questions or issues please contact registry(a)internetnz.net.nz, for updates please subscribe to the IRS Production > Zone Publish component of status.internetnz.nz -- Ngā mihi Felipe Agnelli Barbosa DNS Specialist InternetNZ | Ipurangi Aotearoa We are the home of .nz and we work for an Internet that benefits all of Aotearoa. www.internetnz.nz GPG: 95C1 8BDC EFA7 9CAC 303D 003E A058 2449 D152 8580

1 1

Conference Programme and Lightning talks
by Richard Nelson 09 Apr '25

09 Apr '25

The conference starts tomorrow. The programme is at https://www.nznog.org/conferences/nznog-2025/programme There is a lightning talks session again so we will be looking for anyone with a quick five to ten minute presentation/talk/rant they would like to give in that session. If that is you, please email talks(a)nznog.org.

1 0

Fwd: [ih] In loving memory of (Mr. Bufferbloat) Dave Täht <3
by Brian E Carpenter 02 Apr '25

02 Apr '25

I think some people here will remember Dave. He was a powerhouse. Brian -------- Forwarded Message -------- Subject: [ih] In loving memory of (Mr. Bufferbloat) Dave Täht <3 Date: Tue, 1 Apr 2025 10:47:51 -0700 From: the keyboard of geoff goodfellow via Internet-history <internet-history(a)elists.isoc.org> Reply-To: the keyboard of geoff goodfellow <geoff(a)iconia.com> To: Internet-history <internet-history(a)elists.isoc.org> ---------- Forwarded message --------- From: Frantisek Borsik <frantisek.borsik(a)gmail.com> Date: Tue, Apr 1, 2025 at 7:27 PM Subject: In loving memory of Dave Täht <3 Hello to all, We’re devastated to announce that Dave Täht has passed away. <https://libreqos.io/2025/04/01/in-loving-memory-of-dave/> Dave was an amazing man, helping the world with FQ-CoDel and CAKE, fighting bufferbloat and trying to make the world a better place. Always willing to help, and without him – LibreQoS (and the other QoE solutions out there) wouldn’t exist. Dave was an inspiration, and we all miss him. We’re reaching out to family and close friends to see if there’s anything we can do to help. Dave was an inspiration to us. Dave’s contributions to Linux, FQ-CoDel, and CAKE improved internet connectivity around the world for millions of people. Because of him, millions of people now have access to reliable video calls – and in turn, access to loved ones, healthcare, and community. One of Robert’s ISP customers is a kind paraplegic woman who lives in a far-flung rural Colonia around El Paso, Texas. Her reliable access to her doctors through telemedicine, and to her family through FaceTime, was only made possible because of his algorithms. There are millions of cases like hers, where Dave’s contributions have silently enabled human connection and safety. Everything Dave contributed to the world of technology was free and open source, for the betterment of humanity. Dave is the reason that Starlink was able to tackle its latency issues – enabling a generation of young entrepreneurs across the developing world, such as these young folks pictured in the Phillipines, to start their own ISPs to expand internet access to their communities. Dave started work on FQ-CoDel in part because of his own journey working to expand internet access in Nicaragua, so we know he saw that his work had come full-circle and helped so many. We’re incredibly grateful to have Dave as our friend, mentor, and as someone who continuously inspired us – showing us that we could do better for each other in the world, and leverage technology to make that happen. He will be dearly missed. *PS: *Dave is forever in our hearts and souls, in our routers and...in production! *https://github.com/LibreQoE/LibreQoS/pull/684 <https://github.com/LibreQoE/LibreQoS/pull/684>* All the best, Frank Frantisek (Frank) Borsik https://www.linkedin.com/in/frantisekborsik Signal, Telegram, WhatsApp: +421919416714 iMessage, mobile: +420775230885 Skype: casioa5302ca frantisek.borsik(a)gmail.com -- Geoff.Goodfellow(a)iconia.com living as The Truth is True -- Internet-history mailing list Internet-history(a)elists.isoc.org https://elists.isoc.org/mailman/listinfo/internet-history

2 1

AusNOG 2025 - Call For Papers is open!
by Mark 02 Apr '25

02 Apr '25

Hello! AusNOG 2025 Call For Papers is now open! We are looking for presentations that an audience working predominantly in the network operating space will find interesting and useful. As always, we do not accept marketing or sales material as part of any presentation. The CFP will close on May 30th 2025. This allows time for the Program Committee to review papers and choose the program. Please express your interest and submit a short abstract of the topic you'd like to present, via our portal; https://cfp.ausnog.net/ausnog-2025/ Thank you, and see you in Melbourne, for AusNOG September 2025! Event dates and details here; https://www.ausnog.net/ Regards, Mark Duffell on behalf of the AusNOG PC (Jocelyn, Joe, Phil, James & Michael)

1 0

DNSSEC Root Key Signing Key (KSK) for the Domain Name System
by Christopher Hawker 28 Mar '25

28 Mar '25

Hello Everyone, As many of you may know, one of the functions of the Internet Assigned Numbers Authority (IANA) is the global coordination of the DNS Root Zone. One of the core components to DNS is DNSSEC. The Root Key Signing Key (KSK) acts as the trust anchor for DNSSEC for the Domain Name System, and this trust anchor is configured in DNSSEC-aware resolvers to facilitate validation of DNS data. This is how your DNS servers are able to cryptographically validate the authenticity of DNS records they receive and serve. For more information pertaining to DNSSEC, how it operates, the KSK and the relevant policies and procedures, I recommend visiting https://www.iana.org/dnssec for more info. In order to ensure the security of the KSK, IANA utilises Hardware Security Modules (HSM) to generate the KSK pair of public and private keys, which in turn are used to sign the Zone Signing Key (ZSK), that itself is used to sign DNS records (RRsets) within a DNS zone. As it currently stands, both of these HSMs currently reside in high-security Key Management Facilities (KMFs) in the USA, with one facility located in Culpeper VA, and the other in El Segundo CA. Now, while the locations of these HSMs are highly secure, both of them are located on US soil. As most people who are familiar with redundancy, this is not a good idea for a number of reasons (which I won't go into detail here as it's outside the scope of this email). What we as a community MUST DO, is look at the relocation of one of these HSMs to an alternate country such as Singapore or Switzerland (regarded as two safe countries) to ensure the continued integrity of the Root KSK. Unfortunately, section 4.2(b) of the IANA Naming Function Contract (https://pti.cdn.icann.org/resources/151/IANA_Naming_Function_Contract.pdf) between the Internet Corporation for Assigned Names and Numbers (ICANN) and Public Technical Identifiers (PTI) that govern how IANA performs its functions prohibits the operation of functions outside of the US. Given that the Internet is one of the most critical pieces of global (and not just US-based) infrastructure, I feel that this section of the contract must be reviewed (and deleted or modified to allow for PTI to perform the functions from Singapore, Switzerland or another safe jurisdiction) to maintain the integrity of the Domain Name System. The Second IANA Naming Function Review Team (IFRT2) have released an initial draft report of its analysis, issues and recommendations which also incorporates a review of the Contract between ICANN and PTI. The IFRT2 have opened a public call for comments on the draft report, before they submit their Final Report to ICANN's Board of Directors which they expect to do before June this year. The Public Comment period closes for submissions on 28 April 2025 at 23:59hrs UTC, and I strongly encourage everyone to read the report and provide input regarding support to relocating one of the Key Management Facilities across the Pacific or Atlantic Oceans. To view the report and submit a comment, please go to https://www.icann.org/en/public-comment/proceeding/second-iana-naming-funct…. In order to submit a comment on the report, you will need an account on https://account.icann.org/. In closing, I cannot stress one thing enough - this is in no way speaks to the professionalism of ICANN's staff. The team at ICANN perform some of the hardest work out there, ensuring the integrity and stability of the Internet as we know it today and for that they cannot be thanked enough. This recommendation to move one of the KMFs overseas is simply to help protect it from potential political instability, bias, and to encourage neutralism. We're already doing it with the operation of the DNS Root Zone, let's take it one step further and strengthen the security of DNSSEC and the Root KSK. If you have any questions, please do feel free to ask, either on-list or off-list. Regards, Christopher Hawker

1 0