Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-03.txt
Jaap Akkerhuis <jaap@NLnetLabs.nl> Mon, 29 November 2004 12:20 UTC
Received: from darkwing.uoregon.edu (root@darkwing.uoregon.edu [128.223.142.13]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA12140 for <dnsop-archive@lists.ietf.org>; Mon, 29 Nov 2004 07:20:51 -0500 (EST)
Received: from darkwing.uoregon.edu (majordom@localhost [127.0.0.1]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id iATAgSmn000932; Mon, 29 Nov 2004 02:42:28 -0800 (PST)
Received: (from majordom@localhost) by darkwing.uoregon.edu (8.12.11/8.12.11/Submit) id iATAgS0b000931; Mon, 29 Nov 2004 02:42:28 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [213.154.224.1]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id iATAgPvE000908 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for <dnsop@lists.uoregon.edu>; Mon, 29 Nov 2004 02:42:26 -0800 (PST)
Received: from open.nlnetlabs.nl (localhost [127.0.0.1]) by open.nlnetlabs.nl (8.13.1/8.13.1) with ESMTP id iATAgDOi007896; Mon, 29 Nov 2004 11:42:14 +0100 (CET) (envelope-from jaap@open.nlnetlabs.nl)
Message-Id: <200411291042.iATAgDOi007896@open.nlnetlabs.nl>
To: dnsop@lists.uoregon.edu
cc: Rob Austein <sra@isc.org>
Subject: Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-03.txt
In-reply-to: Your message of Fri, 19 Nov 2004 16:58:05 -0500. <20041119215805.37460418A@thrintun.hactrn.net>
Date: Mon, 29 Nov 2004 11:42:13 +0100
From: Jaap Akkerhuis <jaap@NLnetLabs.nl>
X-Spam-Status: No, score=-5.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.1
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on open.nlnetlabs.nl
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
Reply-To: Jaap Akkerhuis <jaap@NLnetLabs.nl>
Executive Summary Although I think that most of it is fine, I have an issue with section 2.9, "Queries for domain names resembling IP addresses". I fear the recommendation(s) in 2.9.1 will create more problems then they will solve. Therefore I propose to drop this section. Details: Section 2.9 makes the observation that the root servers receive a lot of queries, which are actually IP numbers and notes that it would be desirable that these queries won't end up at the root servers at all. Therefore it is suggested that (1) ... implementors consider the option of synthesizing Name Error responses at the iterative resolver. The server could claim authority for synthesized TLD's corresponding to the first octet of every possible IP address, e.g. 1., 2., through 255. This behavior could be configurable in the (probably unlikely) event that numeric TLDs are ever put into use. or that (2) ... root servers delegate these domains to separate servers which are currently already delegated the in-addr.arpa zones corresponding to RFC 1918 for the AS 112 "black hole" project. Suggestion (1): I consider it a bad idea that resolvers synthesize answers for some class of specific names as suggested in (1), it is simply not in the dns specifications. Making configurable in case numerical become existing is not a good idea, because when they do, it will be difficult, if not impossible, to have the configurations of all caching forwarders changed timely and consistently whenever this needs to be done. Suggestion (2): This means the root server operators change the root zone data on their own, bypassing the usual channels. Also: - The observation in 2.9 concentrates on ipv4 like addresses used as names, but that is just a subset of the problem that too many queries end up where they don't belong. There are other ones, such as queries for ".localdomain" and I won't be surprised that ipv6 like addresses are showing up as well. - Using technical tricks as suggested tolerates misbehaving resolvers or bad configuration issues and thereby removes the motivations of getting these things fixed. Where will this stop? - If these solutions are going to adapted be anyway, there might be impact on DNSSEC, which will require further study. So, in conclusion, I ask the Section 2.9 be dropped from the document. Although the problem is real, the recommendations to fix it create more problems then it tries to solve. jaap . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
- [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-03.t… Rob Austein
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Rob Austein
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Pekka Savola
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Andras Salamon
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Ólafur Guðmundsson
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Suzanne Woolf
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Pekka Savola
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Rob Austein
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Suzanne Woolf
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Mark Andrews
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Jakob Schlyter
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Jaap Akkerhuis
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… J-F C. (Jefsey) Morfin
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Peter Koch
- [dnsop] Re: WGLC on draft-ietf-dnsop-bad-dns-res-… Stephane Bortzmeyer
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Kevin Darcy
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… JINMEI Tatuya / 神明達哉
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Peter Koch
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Olaf M. Kolkman
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… Ted Lindgreen
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… David Meyer
- Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-… JINMEI Tatuya / 神明達哉