Paul Vixie on CircleID

Home

Blogs
Latest Recently Discussed Most Discussed Most Viewed
News
Latest Recently Discussed Most Discussed Most Viewed
Community
Recently Featured Most Featured Most Active Most Read Recent Members Top 100 Leaderboard Alphabetical View Random View Recent Comments
Industry
Latest Posts Most Viewed Leaderboard CircleID Members: .CO Internet .INFO .ORG .PW Afilias Architelos ARI Registry Services Cloud Registry dotMobi Dyn Inc. Hostway MarkMonitor Nominum Neustar Minds + Machines RegistryPro Sedari Verisign Zodiac Registry

Paul Vixie

Paul Vixie

Chairman and Founder, Internet Systems Consortium
Joined on September 17, 2003 – United States
Total Post Views: 466,049


	About


	Send Message


	RSS

Dr. Paul Vixie is Chairman and Founder of Internet Systems Consortium. He served as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He has served on the ARIN Board of Trustees since 2005, where he served as Chairman in 2008 and 2009, and is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8, and he hired many of the people who wrote BIND 9 and the people now working on BIND 10. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his Ph.D. from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC).

Except where otherwise noted, all postings by Paul Vixie on CircleID are licensed under a Creative Commons License.

Comments

Why Saving the NomCom Means Saving ICANN Itself

Comment posted Sep 16, 2012 8:56 am PDT — by Paul Vixie
I think that you've overstated the situation here: This has led to such fallacies as Board members being excluded from any (and all) Board-level new gTLD related conversation because at some point, they spoke to a prospective applicant. The concern…

End of the World/Internet on 31-March-2012?

Comment posted Feb 21, 2012 6:31 pm PST — by Paul Vixie
I asked. They said they use the root zone in "transfer mode". So the two largest public recursive DNS services, Google and OpenDNS, never send any queries to the name servers that the threat signed by Anonymous claims to plan…

Refusing REFUSED

Comment posted Jan 14, 2012 11:56 pm PST — by Paul Vixie
As to belief: I've always thought that good ideas were more compelling than famous people. It doesn't matter "which Paul Vixie" you believe, only that if you hear truth you recognize it and act on it, no matter where you…

Proposal on How SSL Certificate Industry Should Be Replaced Gains Some Momentum

Comment posted Oct 13, 2011 2:10 pm PDT — by Paul Vixie
The certificate authority system used by the web's e-commerce system is indeed weak. What's less certain is that it ought to be replaced by multiple approaches, one from Moxie, one from Google, and so on. The Internet Engineering Task Force…

Making Internet Faster: Google, OpenDNS and Others Announce Joint Effort

Comment posted Oct 03, 2011 4:54 am PDT — by Paul Vixie
Who wouldn't want to "make the internet faster"? I guess we all want that but we are not all agreed on the right approach. For example, if you run a DNS-based Content Delivery Network (CDN) which requires that you provide…

Taking Back the DNS

Comment posted Aug 05, 2011 2:55 am PDT — by Paul Vixie
does anybody know how the patent referred to here relates to DNS RPZ?

Alignment of Interests in DNS Blocking

Comment posted Jul 27, 2011 2:35 pm PDT — by Paul Vixie
During the years 1920 to 1933, the 18th Amendment to the U S Constitution banned the sale, manufacture, and transportation of alcohol. History records this as having been unsuccessful for all but the gangsters and bootleggers; any customer who wanted…

Comment posted Jul 27, 2011 6:20 am PDT — by Paul Vixie
At no time and in no way am I suggesting that the online world not be controlled. The canonical example is child abuse materials but there are plenty of other things which society ought to say "no" to when it…

New Top-Level Domains Approved by ICANN

Comment posted Jun 20, 2011 11:27 pm PDT — by Paul Vixie
Up to now we've had some pretty good textual clues built into the way humanity uses the web, like "if it starts with www it's probably something I can type into my web browser" and even "if it ends with…

Anycast, Unicast, or Both?

Comment posted Jun 13, 2011 9:15 pm PDT — by Paul Vixie
In Anycast DNS, Vincent Bernat has done some elegant lab work to show how to test and evaluate a mixed anycast/unicast DNS service environment. Kudos!

Using Domain Filtering To Effect IP Address Filtering

Comment posted Jun 11, 2011 12:29 am PDT — by Paul Vixie
Update: I added the Team Cymru fullbogons list to my personal RPZ using the same Perl conversion script that worked for the Spamhaus DROP and it works fine. I spoke to Rob Thomas of Team Cymru who thought it a…

Comment posted Jun 09, 2011 10:54 pm PDT — by Paul Vixie
To convert from Spamhaus DROP "lasso" format into RPZ format you will need a conversion utility similar to this.

Comment posted Jun 09, 2011 10:13 pm PDT — by Paul Vixie
Paul - how is your view further substantiated (or not) in an IPv6 world where IPs are nearly limitless? What changes do you foresee with respect to spam filtering in this world? I can share three perspectives on this. First,…

Anycast, Unicast, or Both?

Comment posted Jun 03, 2011 4:41 pm PDT — by Paul Vixie
Lest we drift too far into tangental discussions, the topic of the article is whether there is a risk management case to be made for mixing in some unicast servers in an otherwise anycasted infrastructure. My response to that so…

Comment posted Jun 03, 2011 4:00 pm PDT — by Paul Vixie
Now it is true that the anycast routing network will be under management and the operator may be able to detect the unreachability issue and correct for it, but that can be argued for the unicast approach as well. The…

Comment posted Jun 03, 2011 2:29 pm PDT — by Paul Vixie
i wrote, in the original article i tried to make it clear that anycast was not my idea and that i am not claiming inventor or first-use credit: Anycast was first used in commercial production by Rodney Joffe in 1997…

Comment posted Jun 01, 2011 9:49 pm PDT — by Paul Vixie
Since an anycast domain has more responders the probability that a part of the network is down will actually increase under anycast. if a system requires N elements in order to function properly then as N increases reliability will decrease. …

Comment posted Jun 01, 2011 6:01 pm PDT — by Paul Vixie
over on www.v6.facebook.com where i posted a tickler toward this blog post, there has been some technical quibbling. for example: Is fast ping times to a host that returns bad answers (or which takes its sweet time generating good answers)…

Experts Urge Congress to Reject DNS Filtering from PROTECT IP Act, Serious Technical Concerns Raised

Comment posted May 29, 2011 2:13 pm PDT — by Paul Vixie
Hallam-Baker's response demonstrates several misconceptions. 1. On Split DNS. When I consulted with the authors of RFC 1597 (so, in 1994 or so) on the two DNS related paragraphs of their "Operational Considerations" section I knew full well that split…

On Mandated Content Blocking in the Domain Name System

Comment posted May 19, 2011 6:47 pm PDT — by Paul Vixie
First to implement more or less the mechanism I outlined in this blog post: dot-bit. Hopefully they will publish metrics (number of names, number of unique IP's, number of hits per day) soon.

Whois Scared?

Comment posted Mar 22, 2011 6:35 am PDT — by Paul Vixie
"the more you tighten your grip, the more address users will slip through your fingers." It's not my grip or APNIC's grip or ARIN's grip. The Internet is a cooperative system and the cooperators have instituted a system of self…

On Mandated Content Blocking in the Domain Name System

Comment posted Mar 20, 2011 6:27 pm PDT — by Paul Vixie
for some reason we single out the domain name as requiring a public record of the party associated with the address. Because internet infrastructure is a public resource allocated by a public process for public benefit. Your other examples (Facebook…

Comment posted Mar 20, 2011 6:42 am PDT — by Paul Vixie
The need to make one's contact information public has a chilling effect on those who want to set up a personal domain which promotes views that offend people in their locality who might be willing to ostracise, lynch or execute…

Comment posted Mar 20, 2011 4:04 am PDT — by Paul Vixie
If our aims with law enforcement are to locate and prosecute the people involved ... Let's find out what our aims with law enforcement ought to be. They've come in and asked for accurate Whois and rapid domain takedowns and…

Comment posted Mar 20, 2011 3:25 am PDT — by Paul Vixie
"Trust" no one, always verify. No. Where the context is Child Abuse Materials I won't be verifying reports of same. The world's police forces have special training and auditing for this; I do not. I used InterPol as my example…

Comment posted Mar 20, 2011 12:41 am PDT — by Paul Vixie
You and I both know all to well that "universal naming" is defined by the client's two DNS server IP settings, nothing more or less. Of course. On the Internet, cooperation takes the form of following a certain convention. Proof…

Comment posted Mar 19, 2011 10:49 pm PDT — by Paul Vixie
Since we're now at the stage where different people are using words differently and then arguing about those differences, I'll make sure the record is clear. … I-DNS has been a great success, having China select them sure did not…

Comment posted Mar 19, 2011 9:33 pm PDT — by Paul Vixie
I think you agree with this, don't you? Indeed, you've described my motives for creating both the original RBL back at MAPS for SMTP reputation, and now the DNS RPZ here at ISC for DNS reputation. Private right of action…

Comment posted Mar 19, 2011 8:52 pm PDT — by Paul Vixie
I understand that some people believe "information wants to be free" and want nothing to do with any measure that seeks to reduce Internet piracy. So leave that aside. I want to make sure that the record shows just how…

Comment posted Mar 19, 2011 8:11 pm PDT — by Paul Vixie
How does one define "success" as the centralization of a system designed to be decentralized? You can decentralize your connectivity either as an information producer or an information consumer. You cannot decentralize allocation functions where uniqueness is required. I define…

Comment posted Mar 19, 2011 7:16 pm PDT — by Paul Vixie
Want to kill COICA for good? That's easy: Just help organize an effective, voluntary system to addresses the problem of criminal behavior on the Internet, and COICA doesn't need to happen. COICA already doesn't need to happen. If every time…

Comment posted Mar 19, 2011 7:03 pm PDT — by Paul Vixie
Many sovereign governments have “escaped control” using I-DNS, they did this because of the arrogance imposed upon by refusal to support their decade of request for IDN TLD support. I-DNS has not succeeeded, as witnessed by the continued pressure on…

Whois Scared?

Comment posted Mar 02, 2011 6:56 pm PST — by Paul Vixie
Paul, thank you for correcting my error as to the nature of proposal #96. My jet lag must have been worse than I thought; I was going by my memory of what was presented in the room, whereas the online…

DEFCON 1 Status at ICANN

Comment posted Apr 27, 2010 10:38 pm PDT — by Paul Vixie
doug's been great to work with and he will be missed.

Perspectives on a DNS-CERT

Comment posted Mar 23, 2010 4:36 pm PDT — by Paul Vixie
Systems created those other (SSH, DHCP, etc) protocols are unilateral or bilateral, whereas DNS creates a multilateral interdependent system. the folks at CERT/CC and Mitre are great at what they do but it is not this. To protect a system…

Not a Guessing Game

Comment posted Jul 27, 2008 3:28 pm PDT — by Paul Vixie
If you upgraded your BIND9 to one of the -P1's and you're still seeing "POOR" from "dig porttest.dns-oarc.net in txt" then it's either because you still have "query-source" set to a single port in your named.conf (in which case your…

Comment posted Jul 17, 2008 3:34 pm PDT — by Paul Vixie
Could you please tell me is the Dan's DNS protocol vulnerability applies to the following scenario? ... ... then the router must surely be fully vulnerable to the worst of whatever Dan has in store for us. yes and no.…

Comment posted Jul 17, 2008 2:23 pm PDT — by Paul Vixie
While I know in some circles it is considered a fun sport to bash ICANN, asserting ICANN doesn't have the political will to see the root signed is both wrong as well as somewhat insulting to the folks at IANA…

Comment posted Jul 17, 2008 2:10 am PDT — by Paul Vixie
While ISC is totally ready and willing to cooperate with ICANN on the root zone demo David mentioned, that demo is of technology, not political will, and is therefore somewhat off-topic. I want the real root zone signed with a…

Comment posted Jul 16, 2008 1:44 pm PDT — by Paul Vixie
I've learned from Level(3), operators of 4.2.2.1 and 4.2.2.2, that they will be rolling out UDP port randomization well in advance of Dan's August 6 BlackHat talk, but it's not an overnight process owing to the largeness of their anycast…

Comment posted Jul 16, 2008 1:30 pm PDT — by Paul Vixie
He has known of this Hole for years and also knew what needed to be done to fix it. That grossly mischaracterizes both the current situation and my position. While I've been writing about holes like this since 1995, I…

Comment posted Jul 15, 2008 6:15 pm PDT — by Paul Vixie
Does securing zone transfers with TSIG eliminate the need for the BIND upgrade? Or does TSIG just mitigate the NAT issue after upgrading? TSIG is used for updates and zone transfers, and is absolutely secure against spoofing, as long as…

Comment posted Jul 15, 2008 6:13 pm PDT — by Paul Vixie
Once again, for the "for dummies" crowd, if the vendor doesn't do anything, are there any countermeasures we can easily employ today? run the test ("dig porttest.dns-oarc.net in txt") and if it doesn't report either GOOD or FAIR, call your…

Comment posted Jul 15, 2008 3:30 pm PDT — by Paul Vixie
Just to be clear, would regular clients (Macs, Windows, Linux) behind a NAT firewall (e.g. a Netgear, Linksys or similar routers used for sharing a network connection) be vulnerable if they have DNS set to a non- vulnerable external server…

Social Networking and Web 2.0 Creating DNS Performance Issues for Carriers

Comment posted Mar 07, 2007 4:21 pm PST — by Paul Vixie
Mr. Tovar wrote: "A BIND server can only handle so much DNS traffic before it starts behaving erratically, dropping packets, requiring frequent restarts as well as more hardware." I know of no way to get the behavious Tom describes. There…

Reporting To God

Comment posted Mar 28, 2006 10:24 pm PST — by Paul Vixie
"It did not reassure me to learn that until 1995, one of the thirteen root servers was kept by an engineer named Paul Vixie in his garage at home in Palo Alto. He later moved it to Stanford to a…

Putting Multiple Root Nameserver Issue to Rest

Comment posted Feb 24, 2006 7:38 am PST — by Paul Vixie
My only interest was to find out how a company accomplished their technical achievements. ...It would seem like a relative easy matter to design an algorithm that would automatically search these other DNSs automatically so that I don't have to…

Comment posted Feb 24, 2006 4:54 am PST — by Paul Vixie
"If I won't let Milton Mueller put words in my mouth, why would I ask Joe Baptista to do so? Never mind — rhetorical question — "I would not.'' I always thought and still think that UNIDT/UnifiedRoot/name-of-the-week were pirates, and…

A Further Look Into ORSN

Comment posted Oct 10, 2005 11:16 pm PDT — by Paul Vixie
Ouch. Did he really say that I really said that? Quoting Mr. Mueller: "Vixie's endorsement of Open Root Server Network (ORSN) is based on explicitly political criteria." First off, I don't endorse, or use ORSN. I support this project but…

Why I Am Participating in the ORSN Project

Comment posted Oct 10, 2005 10:33 pm PDT — by Paul Vixie
I'm afraid that Milton Mueller likewise did not make the list of agents or spokesman for me, and so when he claims that "In essence, Paul Vixie is saying is that he is willing to risk splitting the root for…

Comment posted Oct 04, 2005 9:31 pm PDT — by Paul Vixie
Simon Waters asks: ``Say tomorrow ICANN decides for "security" reasons to redelegate ".ir" to the Pentagon, with no public explanation. If ORSN forks the root at this point, will Paul still support it, even those his daughter now gets two…

Comment posted Oct 04, 2005 9:22 pm PDT — by Paul Vixie
JFCM says "1. what Paul says: there is only one single name space. But that single name space may be much more complex than the mono-Internet presupposes it is." What we've got here is a failure to communicate. JFCM can…

Comment posted Oct 03, 2005 8:15 pm PDT — by Paul Vixie
Jothan Frakes' comments show the same inability to distinguish between name spaces and server sets that Joe Baptista and others have shown. ORSN is not merely "working with the current IANA", they are committed to it. According to their FAQ:…

Comment posted Oct 03, 2005 6:17 pm PDT — by Paul Vixie
In no particular order, here's my reaction to the various notes so far. Mr. Baptista is not my spokesman, and if I have inadvertently left out some of the piratical and foolish alternate namespaces such as UNIDT and New.Net then…

Putting Multiple Root Nameserver Issue to Rest

Comment posted Sep 30, 2005 11:56 pm PDT — by Paul Vixie
As a long time supporter of the universal namespace operated by IANA, it may come as a surprise that I have joined the Open Root Server Network project. I'll try to explain what's going on and what it all means.…

ICANN Needs a Good Root

Comment posted Jul 17, 2005 7:10 pm PDT — by Paul Vixie
I never said I didn't want two or more roots at the same time, I just said that DNS isn't designed for that and that it won't work. What I want, or what anybody wants, doesn't enter into it, unless…

U.S. Government to Retain Oversight of the Internet's Root Servers

Comment posted Jul 12, 2005 7:15 am PDT — by Paul Vixie
I'm not gloating. I don't like the current situation at all, and the fact that this had to be a "battle" with winners/losers demonstrates some weaknesses in the design of DNS. The article you're referring to is not my defense…

.NET Bid Contenders

Comment posted Jan 20, 2005 12:11 am PST — by Paul Vixie
There's an important distinction being missed by this article. Where it says "Core++ is ISC, Telfonica, and .br, with participation from Core, Nida (.kr), and .zaDNA (.za)", it's important to note that ISC is not a member of CORE or…

Sender ID: A Tale of Open Standards and Corporate Greed? - Part II

Comment posted Sep 02, 2004 8:08 pm PDT — by Paul Vixie
This whole debate is silly. There will never be a universal standard for e-mail authorship verification, no matter what IETF MARID or Microsoft do. Let a thousand flowers bloom. SPF works. Jim Miller's MAIL-FROM (which I documented here) works. Domain…

Sender ID: A Tale of Open Standards and Corporate Greed? - Part I

Comment posted Sep 02, 2004 8:05 pm PDT — by Paul Vixie
This whole debate is silly. There will never be a universal standard for e-mail authorship verification, no matter what IETF MARID or Microsoft do. Let a thousand flowers bloom. SPF works. Jim Miller's MAIL-FROM (which I documented here) works. Domain…

An Interview with the Lead Developer of SPF - Part I

Comment posted Jun 30, 2004 2:41 pm PDT — by Paul Vixie
I'm surprised and pleased to learn that the SPF folks were aware of my work (MAIL-FROM) in this area. I would like to correct two misimpressions, and share an observation. First, MAIL-FROM always used what Meng Weng calls the "return…

Techies Wanna Do Policy

Comment posted May 21, 2004 5:54 am PDT — by Paul Vixie
Karl is smart enough to know the difference between an A RR and an NS RR, so his apparently-deliberate mincing of those terms mystifies me. Any network owner can control their own DNS simply by ensuring that their clients all…

Paul Vixie on Fort N.O.C.'s

Comment posted Feb 06, 2004 3:36 am PST — by Paul Vixie
Karl wrote: > Again you are confusing the limited oversight that the State of > California applies to non-profits with the degree of oversight that > the internet community deserves to ensure that DNS roots are operated > in the…

Comment posted Feb 05, 2004 7:39 pm PST — by Paul Vixie
Karl wrote: > California does not stop you from shutting down, or selling out to > Microsoft, or from offering discriminatory grades of service. Actually, they would. Internet Systems Consortium, Inc. is a nonprofit public benefit corporation and if the…

Comment posted Feb 05, 2004 6:00 am PST — by Paul Vixie
Karl, I think I made it pretty clear who held the obligations in this case. Every root server operator has a local constituency who is quite influential in its own community. Since you've already heard that answer, I'll go into…

Topic Interests

DNS, Domain Names, Spam, Cyberattack, Top-Level Domains, Internet Governance, Security, Registry Services, Regional Registries, Cybercrime, ICANN, DDoS, Policy & Regulation, IP Addressing, Whois, Censorship, DNS Security, Access Providers, Email, IPv6, Malware, Law, Multilinguism, Cybersquatting, Web

Recent Blogs

DNS Firewalls In Action - RPZ vs. Spam

Jan 03, 2013
Comments: 0
Views: 5,094

DNS Changer

Mar 27, 2012
Comments: 6
Views: 68,551

Refusing REFUSED

Jan 11, 2012
Comments: 3
Views: 13,134

DNS Policy is Hop by Hop; DNS Security is End to End

Jan 02, 2012
Comments: 1
Views: 8,241

The Myth of the Unintended Infringer in SOPA and PIPA

Dec 19, 2011
Comments: 0
Views: 6,997

View More

Popular Posts

DNS Changer

Mar 27, 2012
Comments: 6
Views: 68,551

Taking Back the DNS

Jul 30, 2010
Comments: 133
Views: 51,496

Not a Guessing Game

Jul 14, 2008
Comments: 41
Views: 43,596

Why I Am Participating in the ORSN Project

Oct 01, 2005
Comments: 27
Views: 35,996

Putting Multiple Root Nameserver Issue to Rest

Jun 28, 2005
Comments: 18
Views: 31,014

Managed Hosting
by Hostway

DNS & DDoS Protection
by Neustar

Sections: Home | Featured Blogs | News Briefs | Industry Updates | Topics | Community
RSS Feeds, Email Updates, Mobile Edition and More: CircleID Extras
About: About CircleID | Media Coverage | CircleID Blog | Contact | Advertising Programs
Terms & Policies: Codes of Conduct | Privacy Policy | Terms of Use

Copyright © 2002-2013 CircleID. Iomemo Inc. All rights reserved unless where otherwise noted.
Local Time: Thursday, May 23, 2013 07:19 AM PDT – Page Load: 0.7595 Sec.