IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Ondrej Mikle <ondrej.mikle@nic.cz> Thu, 10 May 2012 06:51 UTC

Return-Path: <ondrej.mikle@nic.cz>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11D3E21F85D1 for <dane@ietfa.amsl.com>; Wed, 9 May 2012 23:51:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KjzEWUPpJbGY for <dane@ietfa.amsl.com>; Wed, 9 May 2012 23:51:50 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id 41EF721F85BB for <dane@ietf.org>; Wed, 9 May 2012 23:51:49 -0700 (PDT)
Received: from [192.168.0.100] (ip-94-113-0-21.net.upcbroadband.cz [94.113.0.21]) by mail.nic.cz (Postfix) with ESMTPSA id 763A913F868; Thu, 10 May 2012 08:51:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1336632708; bh=xWuukibK1BT3kK5dxL23J/Ryu5jZUn4xLqqK9+s/7C0=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=aTDp3g1B3vt4hL+YwH+7+WsNYTyfk5S8N0gLT1KqRW+fKRoHvMmmqc3MhIa6OP3w9 LKbMhOXWmCgahLJfkHs73sAtbK+1fQ1v9GUBW3G5jI3f8AV0Yz0hE0HNfIhpk8Qa2P ywZ2z5RM7BKVZMotWC0u/cpW05YaCUfa7nUSTwOI=
Message-ID: <4FAB6583.7080903@nic.cz>
Date: Thu, 10 May 2012 08:51:47 +0200
From: Ondrej Mikle <ondrej.mikle@nic.cz>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Tony Finch <dot@dotat.at>
References: <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com> <20120504112922.GB4929@mail.yitter.info> <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info> <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <3FF36EBA-F8B1-4D66-BA00-E8E36A7E449D@kumari.net> <CABcZeBP2iRLa76rSXu4A0OwFxP=tqK1ShZ6wv=6wnaEC6uad+w@mail.gmail.com> <CAMfhd9XYS=9SGotCTwa7NJU4L8WFys2rDVsQZxn4a0wz+NxS3Q@mail.gmail.com> <6015A12B-8CA9-426B-9AFF-32CD4211DAB5@vpnc.org> <20120504165311.GB7394@mail.yitter.info> <4FA5D178.8030405@nic.cz> <alpine.LSU.2.00.1205082043010.17365@hermes-2.csi.cam.ac.uk>
In-Reply-To: <alpine.LSU.2.00.1205082043010.17365@hermes-2.csi.cam.ac.uk>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.96.5 at mail
X-Virus-Status: Clean
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 06:51:51 -0000

On 05/08/2012 09:46 PM, Tony Finch wrote:
> Ondrej Mikle <ondrej.mikle@nic.cz> wrote:
>>
>> From the ongoing scan, out of 70M currently finished .com domains,
>> SERVFAILs appeared for ~8.6M distinct domains.
> 
> We're running validating resolvers and we haven't noticed that level of
> failure. What proportion of authoritative servers with working DNSSEC
> return SERVFAIL for what QTYPEs?

The scans finished, here is a breakdown of what those SERVFAILs represented.
Short summary: As I expected, most of the domains are most likely
parked/unmaintained/speculative (by some whois queries, still SERVFAIL etc.)
Thus no reason for admin to care about them - that also means users won't ask
for them either.

Total amount of .com domains scanned: ~102M

1. SERVFAILS due to NS fetch failed and other RRs failed (disjunct)
     10114651 - NS fetch failed - the scanner skips the domain altogether
      2373284 - unique count of domains with SERVFAIL for at least one other RR
     12487935 total

2. NS fails on FQDNs contained in Alexa/Quantcast TOP 1M
      19574 alexa
      26087 quantcast

3. Unique domain count with at least one SERVFAIL for non-NS RR present in
Alexa/Quantcast TOP 1M
     18977 alexa
      6017 quantcast

The errors from "valuable/important" domains seemed transient (just bad time to
ask, probably). We'll still redo the SERVFAILs once/twice more.

Other (maybe interesting) common "weird pattern" is using 127.0.0.1 or 0.0.0.0
for A targets. I'm guessing those are domains used for development (so that it
connects to developer's machine). Can anyone think of other reason?

Apart from the above, there is definitely more brokenness. Mostly various
corner cases not explicitly/exhaustively covered by RFCs (tough rare in numbers).

Ondrej Mikle

v2.8.7 | Report a Bug | By Email