Welp that answers a lot of why all .ml are down

Renewal costs are my primary consideration when picking domains. Subscription fees is how your money disappears when you're not looking.

That's an assumption that lemmy will quit federating with a server that does not match.

And what signature are we talking about anyway? Is not certificates...

Domain registration ≠ internet security. Root of trust is in cryptographic keys, not domains. DNS is not the security cornerstone you make it out to be. PKI says hi!

I think Microsoft and Google have both done it, but what do they know? 🤣

I'm aware. Using it for something like this is stupid.

wow I didn't even know that was a thing! This is useful to know, thanks :D

Commies punching the air right now

They should check if .cia is open if they're want to switch over to something more fitting.

Highly doubtful much of anything majorly sensitive got leaked. Firstly even unclassified DoD emails are encrypted by default. Secondly anything classified isn't even on a network that can talk to normal email, it's either 100% point to point encrypted or on an airgapped network. If I hopped on SIPR (DoD Secret-level internet) and emailed a normal email address it simply wouldn't work.

AFAIK, lemmy.ml and lemmygrad.ml use it because the ml can also stand for "Marxist-Leninist", and the two primary maintainers of Lemmy are Marxist-Leninists . Not sure about the others though.

I think it's because ML is a popular shorthand for 'Marxist-Leninist' since they mostly seem to be communist servers

It was free

I'm guessing because it's sort of an alliteration on lemmy?

So they can support Russia by proxy.

It was free, and anonymous I guess

Thanks for answering. I figured it was a registrar thing. How bad do you think the situation will be for other .ml domains?

I'm guessing fmhy.ml was using Freenom but lemmy.ml and lemmy.ml were using a different domain registrar, hence the situation right now.

I never liked TLDs that are from random islands

I remember reading somewhere that Tuvalu gets like 10% of their entire yearly income from Twitch.

I now pronounce Twitch as Twitch dot Tuvalu, but I get weird "huh?"s when I say it like that.

If the communities you like to read and post to are down, then Fediverse is effectively down for you. Thus it doesn't offer any additional resilience, it's not a P2P system.

I feel like communities are the bigger problem here. And not one that's easily solved.

If users from multiple instances come together in communities, those communities are still centralized on a single server. So if something happens to that server, or if your instance defederates with it, the whole community goes with it.

The alternative would be to have tons of duplicate communities spread over many instances, but that's a bad user experience.

At this stage in the game, I'm not even sure how to evaluate the trustworthiness of instances. Which also applies to the one I'm currently on. I'd like to assume everything is good, but admins do have power that can be abused, like visibility of IP addresses, access to accounts, access to passwords (reusing passwords is bad but especially don't do it here and certainly don't use the same password for your email associated with your account).

Facebook abused those powers (zuck even bragged about being able to see everyone's passwords, emails, private messages, pictures), so did Reddit (though more with shadow banning or quietly removing/restoring posts).

Fediverse instances are just run by random people as far as I can tell. I'm sure there's some that should absolutely be avoided and I'm sure that there's some that are perfectly fine. But I don't have a clue how to determine which list about specific instance is in, otherwise I'd love to join someone's small instance.

Edit: oh and that only goes into whether the admin is acting in good faith or intends to be abusive. Then there's the question of whether the admin is competent enough to run a server without it getting pwnt and giving others access to that same information and capabilities.

the problem is most users fear that if they choose a small instance, that it goes down random more likely and their account and everything else is gone. if you choose a bigger instance it feels less likely that the admin of the instance just says fuck it and kills the server random for whatever reason.

as long accounts can't be easy transfered and are maybe even safe somehow without their instance, people will choose the instance that feels the most secure to them. and when i looked at the available instances.. most looked not really long term secure. most did look like they are random ideas of people and they could vanish any second into the void. so i as an example did choose lemmy.world. seemed the most safe option with the best features (nsfw allowed, a lot of users and a big instance)

Does that really scale though? The load on a server is not dependent on the number of users, but on the number of communities from other server that the sum of user is subscribing to.

Which means if you have a server for 100 users, you still need to pay for the 1000s giant communities that those users are subscribing to, as they are being copied over in your server.

So if you have a few mega server like Lemmy.world, they each pay say 10000£ in hosting a month (number taken out of my hat), which is fine because they have as many users that can contribute to it financially ( via donations, ads etc.). But small servers won't be able to support that load and will ultimately close.

That sounds like a design flaw if you ask me but i did not see anyone mentioning it so maybe i'm misunderstanding.

I'm on it 😁, well at least one little instance more (just gotta make the email stuff work, over OVH if I can do that).

Because DNS is the user-facing part of the whole system. There is plenty of trouble with everything else, but you usually don't see that as a user. Also it's a hierarchical system with big providers/governments handing out and taking back names as they see fit, so there is always the possibility to get screwed.

Because it's the least-likely position to be staffed by a company. It's the "least important" person to have.... until it breaks. Often a company relies on routing-switching engineers to do DNS instead of hiring a dedicated DDI engineer (DNS, DHCP, IPAM). It saves money in the short term, but when shit hits the fan... no one knows how to fix it because DNS is really easy until it's not. DNS is super simple at a basic level. But it goes way deeper than most people realize.

Because its always DNS

Also, if you're genuinely interested in this field, first you should enter the world of enterprise network engineering. Get Security +, CCNA, and PCNSA. With those certs in hand (and knowledge in your brain), apply to jobs as a network support engineer. Do the work for a few years. Learn BIND. Learn Infoblox. Focus on learning DHCP and subnetting. Learn DNSSEC & IPv6. Experiment with a Pi Hole. Set up a home lab. Apply to jobs with DNS. Start living the good life. This takes about 10 years if you learn fast and are good at interviews.

Ah, thanks for the info! I have no idea how Lemmy stuff works. I only became aware of Lemmy last month.

Friday I was doing a zone transfer! What are the odds?

A zone transfer is like moving houses, except for an authoritative zone.

In DNS, we have what's called an authoritative zone. That means the device hosting the "resource records" (all the data that DNS passes around) is the "ultimate" answer. I.e, it's not cached data. It's not a hosts file. It's not a recursive answer. It's the real deal.

When you want to move the authoritative zone to another server, you do a "zone transfer" that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).

There are several problem with this including total lack of SSL without the proper cert for that other domain, also Lemmy.ml's IP seems to be running a reverse proxy so the internal IP that we would want to connect to is not visible to the world this is common for web security, the owners must set allowed domains and ports in their config file.

If none of that was a problem Lemmy itself does not do well with changing domains, as highlighted here: https://lemmy.nrd.li/comment/190200

1. Yes. Unless there's some kind of crazy domain-level hi-jinks involved with Lemmy (I am not versed in Lemmy), pointing directly to the IP will work if you bypass it by spoofing your DNS (Hosts file, for example).
2. I don't know how Lemmy federation works, sorry :(
3. See #2

Sorry that I couldn't answer more of your questions.

An alternative DNS root is where someone other than IANA sets up a root zone. At the end of the day, root zone authority is technically not "hard coded". It's a terrible idea to set up an alt root or to use one for these reasons:

1. Security. This is the biggest one. DNSSEC works via setting up Trust Anchors with the root zone and chaining down the tree all the way to the recursive DNS server. DNSSEC doesn't work if anyone in there doesn't have a trust anchor for the root zone. Additionally, if that root zone is untrustworthy, you can effectively have DNS poisoning happen at the root level. Imagine having two google.com's based on which root zone (and therefore walking two separate trees) you ask.
2. It encourages dividing the internet. The two largest Alt zones are Russia's (RNDNS) and China's (.chn). RNDNS exists as a continuity plan in case the rest of the world decides to cut them off of the internet. China's is part of a hare-brained plan to "reinvent the internet under IPv9" (an idiotic plan that sounds even more crazy than Iran's supposed "quantum computer")
3. Pointing to a different root zone can cause a lot of headaches for diagnosing DNS issues when they aren't coming down from the same root zone. It can cause different answers (and a parallel tree).

To answer your second question, they are not good for acting as a way to mitigate DNS failures. No domain servers are going to be asking them in the first place, meaning no one can get there even if it does have the "correct" answer. If all 13 root servers went down simultaneously, the results would be catastrophic. But that's also why they're physically located around the world in many different countries in heavily secure facilities with many High-Availability servers (clone servers that instantly take over if there's a failure, the ultimate "hot" server)

You wouldn't want to have a DNS server ask two root zones anyway. If it can't reach the root zones, then that needs to be addressed. You can't just ask a "less secure" server in case the primary doesn't work. That's just begging for a security breach via cutting off access to the primary root zones so that they "fail over" to the less secure ones.

The ".com" and ".org" and all other Top Level Domains are owned/controlled by some organization.

Com and org are your original TLDs, so since they were around first you see them everywhere. At some point countries got their own TLDs so Mali got "ml" for example but Tuvalu got "tv". (Yes, technically ".tv" has nothing to do with television.) And a few years back there was open bidding for a bunch of new TLDs which is where ".sport" or ".dentist" come from.

Anyone some entity owns/controls them and then can sell any word or domain under it. So if you want "greatgatsby.com" you have to talk to the ".com" owners. If you want "greatgatsby.sport" you talk to the ".sport" owners. Usually there is another company or agreement that groups these together so you can manage all your domains in one place.

So anyways now you own a domain like "greatgatsby.sport", what do you want to host? Mail at "mail.greatgatsby.sport"? A website at world wide web aka "www.greatgatsby.sport"? Up to you.

Over time, largely by convention "www" became where you put your website.

From there you have two options, you can setup a redirect from "http://greatgatsby.sport" to "http://www.greatgatsby.sport" or you can do a little hosting "trick" and just make "http://greatgatsby.sport" return your website.

To answer your other question: most likely, www.cakefarts.com is now accessible from cakefarts.com for one of three reasons:

1. Your web browser automatically checks the A record "www" if "cakefarts.com" doesn't have an A record. A records are the records in a DNS server that says "this domain goes here"
2. The site cakefarts.com put their website on cakefarts.com and placed a CNAME record called "www" that points to cakefarts.com
3. cakefarts.com has an APEX record that points to www.cakefarts.com

For the 'record', www is just a really common record name. There's nothing special about it. You could have dudebro.cakefarts.com or wwwwwww.cakefarts.com. It's up to the domain owner.

They paid a huge amount of money to get a TLD

Companies don't/can't sell TLD's. Only IANA can decide those. When the internet first started, .org, .net, .com etc. were handed out to non-profit organizations and the costs were purely to keep the servers running. Eventually though, when IANA decided to hand out country codes like .io (Indian Ocean), .cat (Catalonia) or .tv (Tuvalu), those countries rent their "desirable" names to private organizations that sell domain registrations for lots of money. In 2013, IANA decided to enact the gTLD auctions to help raise more money. Basically, if you wanted to (and had a lot of money & DNS engineers on staff), you could register any TLD you want provided you were willing to make a large donation to IANA. If someone else wanted it, they had to go into an action war over it. That's how we ended up with things like .party or .sport or .world cough Now-a-days, if you want a TLD, you'd have to convince IANA to give you one.... But good luck with that. They won't give you one unless you're some major corporation that can actually handle it. They also just don't give them out. Usually it's only when they really feel like more TLD's are needed. It's a very serious responsibility and mismanagement could accidentally DDOS a DNS root zone & impact the internet.

I can answer this. The organization that says mali owns .ml gives the ownership country a lot of sway.

So if the country of mali were to reach out formally to the organization and say "hey this domain violates our laws" they would take that very seriously and then work with the registrar & authoritative nameserver owner to handle the situation.

I'm sure this isn't 100% accurate but 90-95 based on my work in a web hosting company

So here's the thing about TLD's, ownership of them is determined by IANA (Internet Assigned Numbers Authority). They're basically my career's gods. If they tell me to jump, I ask "how high". They control the DNS root zone. Effectively, that's the actual top-level of ALL domains. If they decide to remove a TLD or reassign it, all you can do is lodge a complaint straight to their shredder. They're owned and operated by ICANN, a non-profit organization.

Back in 2013, Mali allowed a private Netherlands company to "manage" (rent) their TLD, .ML Recently, that company (Freenom) got sued by Meta. Even though I don't really like Meta, as a network engineer, I don't like Freenom even more. They turn a blind eye to bad actors on the internet, refuse to investigate hackers/scammers/DDOSers, and generally refuse to play ball. They are a huge pain in the ass. Due to the lawsuit, IANA reassigned ML to Mali since they asked for it. At the end of the day you "cant" sell a country-level TLD. Mali was renting it to Freenom under the table. This happens a lot and IANA usually just looks the other way. .io for example is the freakin' Indian Ocean.

So yeah, Mali didn't "snatch" it. They just asked IANA to reassign it and there isn't shit Freenom can do about it since they never "really" owned it in the first place.

So copy/paste the text for your snapshot, and link to the original.

Also, modern tools are getting pretty good at dealing with text embedded in images. It isn't ideal but this partially mitigates a large concern (accessibility). Rather than complaining about people taking screenshots maybe pressure should be placed on the screenshot tools, and image formats, to better capture the raw text exactly and embed it as extra data along with the image.

Yeah, this is the correct way, because posts often become inaccessible.

..except when the image hoster suddenly dies and 10000s of Screenshots suddenly vanish from the internet and all howto's etc are killed by it

If you can post an image, you can post text, right?

Copy/pasted text stays with time too and doesn't have the issues that pictures of text do. Also hosted images disappear all the time.

And then play that video on your screen, take a video of that screen with your phone while shaking the phone around and mumbling over the audio, and upload that phone video to TikTok.

It’s less sketchy if you pay for a domain through a reputable registrar

Indeed... you never really purchase a domain. It's definitely more of a lease. And that's any tld.

Indeed.

Imagine if this had happenned to a centralized system like Reddit...

The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted by Interisle Consulting Group, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.

Oof. Also what a bizarre landscape where this comes out in 2021 and the only action on it is a private corporation personally suing them over a year later. Where's ENISA and EC3?

Wait, is it actually Feeenom's fault? Isn't it from whatever the server the malicious actions comes from?

For example I use one of their domains along with a Digital Ocean droplet, and I used it briefly to increase my seeding ratio by portforwarding my Qbittorrent port, after several months I got a letter from DO (which is amusing because my country couldn't care less about torrenting lol) which I think is correct, I don't think this is Feeenom's fault.

Doesn't hurt! You can always make another account.

Yea, they managed to get it back at some point but it was under external control with close to no benefit for them for a long time!

They reclaimed many domain rights and are now renting them out for big money, yeah. They were still scammed off by many.

The US and UK build a military base and established it with that ages ago so I am not surprised the current population is fine with it but they expelled the original population to do so! :/

That's not actually true, the guy who made them originally was from the west and those countries didn't contribute because they had no chance of any digital infrastructure yet but top level country domains use caracters from the correspinding countries name and those are all determind in the same way so you essentially use their name without their permission or based on scetchy and scummy legally binding agreements!

That seems really dumb given the technical aspects as well as the purpose of domains.

Overall a sketchy company. The most nefarious of their practices is seizing the "free" domains they give away when it becomes popular.

could have looked around this post or googled instead of being rude and being a lazy fuck

This hadn't even occurred to me. I saw it as millilitre!