There has been a lot of talk recently about DNS amplification attacks (with prominent news reports of high bandwidth attacks targeted at anti-spam services, cloud providers, financial institutions, etc). These are a class of denial of service attack that use DNS servers to emit large amounts of traffic onto unsuspecting victims. The attackers use the forged source addresses of their victims to send a large stream of queries to the DNS servers, and this results in a much larger stream of responses being sent from those DNS servers back to the victim computers - with the aim of overwhelming them or their network connections. Although the DNS servers employed in the attack can become adversely impacted, the primary target of the attacks are the computers whose addresses are being forged.

“I tend to think of IPv6 & DNSSEC both a little bit like global warming … something that is developing kind of slowly … they’re both inevitable, it’s a just a question of how long it’s going to take” – Paul Mockapetris.

My colleague Deke Kassabian posted an older photo of the Philly skyline (that I’d taken a number of years ago) on his Facebook page. So I thought I’d post a more recent set. Since I try not to use Facebook, I’ve posted the set to my Google Plus page instead.

A few notes from last month’s IPv6 deployment panel at the Fall Internet2 Member Meeting in Philadelphia, which I moderated (October 2nd 2012). Watch the entire video of the session (1 hour 15 minutes) for full details.

DNSSEC is a system to verify the authenticity of DNS data using public key signatures. With increasing deployment of DNSSEC comes the possibility of applications using the DNS to store and retrieve TLS/SSL certificates in an authenticated manner. And possibly obviating the need for public/global certification authorities (CA), and empowering domain owners to issue their own certificates instead.

At the recent Joint Techs conference, our host Stanford University arranged a lunch time tour of the Stanford Linear Accelerator Center (SLAC) for a small group of attendees. I signed up early as I knew it was going to popular with this crowd. SLAC is a 50 GeV electron-positron accelerator operated by Stanford on behalf of the US Dept of Energy.

The World IPv6 Launch website has compiled a set of measurements at http://www.worldipv6launch.org/measurements/. I’ll take a quick look at some of them here, with a focus on universities.

We have two job openings at the University of Pennsylvania for Network Engineers.

I’ve been working on a DNS and DNSSEC monitoring project, which is available at

World IPv6 Launch (June 6th 2012) is fast approaching, so I thought I’d share some details about IPv6 deployment at the University of Pennsylvania and what we’ve recently done to prepare for this event.

A quick history

Some data from a quick analysis of the contents of the University of Pennsylvania’s primary DNS zone (upenn.edu):

I’m teaching two half day classes on IPv6 and DNS/DNSSEC at the LOPSA PICC conference (Professional IT Community Conference), being held May 11-12, 2012 in New Brunswick, NJ. This is a regional IT and system administration conference run by the New Jersey chapter of the League of Professional System Administrators (LOPSA).

A colleague on her office door, has a picture of a famous New Yorker cartoon, in which one dog says to another, “I had my own blog for a while, but I decided to go back to just pointless incessant barking”. Well, I finally decided to join the barking classes! Let’s see if it lasts ..