Re: Should a nameserver know about itself?
Bruce Campbell <bruce.campbell@apnic.net> Fri, 11 May 2001 00:52 UTC
Received: from nic.cafax.se ([192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA10875 for <dnsop-archive@odin.ietf.org>; Thu, 10 May 2001 20:52:03 -0400 (EDT)
Received: by nic.cafax.se (8.12.0.Beta5/8.12.0.Beta5) id f4B0Ok9i011980 for dnsop-outgoing; Fri, 11 May 2001 02:24:46 +0200 (MEST)
Received: from guardian.apnic.net (guardian.apnic.net [203.37.255.100]) by nic.cafax.se (8.12.0.Beta7/8.12.0.Beta5) with ESMTP id f4B0OgLt011975 for <dnsop@cafax.se>; Fri, 11 May 2001 02:24:44 +0200 (MEST)
Received: (from mail@localhost) by guardian.apnic.net (8.9.3/8.9.3) id KAA25014 for <dnsop@cafax.se>; Fri, 11 May 2001 10:24:37 +1000 (EST)
Received: from julubu.staff.apnic.net(192.168.1.37) by int-gw.staff.apnic.net via smap (V2.1) id xma025012; Fri, 11 May 01 10:24:28 +1000
Received: from localhost.staff.apnic.net ([127.0.0.1]) by julubu.staff.apnic.net with esmtp (Exim 3.22 #2) id 14y0jN-000Cb1-00 for dnsop@cafax.se; Fri, 11 May 2001 10:24:29 +1000
Date: Fri, 11 May 2001 10:24:27 +1000
From: Bruce Campbell <bruce.campbell@apnic.net>
X-Sender: bc@julubu.staff.apnic.net
To: dnsop@cafax.se
Subject: Re: Should a nameserver know about itself?
In-Reply-To: <2362.989512735@brandenburg.cs.mu.OZ.AU>
Message-ID: <Pine.BSF.4.21.0105110935470.48377-100000@julubu.staff.apnic.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-dnsop@cafax.se
Precedence: bulk
On Thu, 10 May 2001, Robert Elz wrote: > From: Bruce Campbell <bruce.campbell@apnic.net> > > | Right. Now that we've gotten that out of the way, can anyone suggest a > | *reliable* test for verifying that a nameserver is responding ( which is > | seperate from verifying that a nameserver is authoritatively serving a > | given zone ) > > There have been some suggestions for that, but ... why??? Part of it is how we *currently* deal with delegation requests. We verify each attribute (domain, nameserver) before verifying the whole request, ie: domain: 220.219.218.in-addr.arpa domain->validate() returns true if domain name is 'correct' nserver: ns1.example.com nserver: ns2.example.com nserver->validate() returns true if nameserver is considered to be 'responding'. ( each attribute validate() method doesn't have the 'full' delegation request on hand, so currently nserver->validate() can't directly test the domain on the given nameserver. ) So, our current implementation of nserver->validate() is flawed, because, as has been pointed out, a nameserver doesn't *need* to know about itself, ( Personal opinion is that is *should* know about itself, as most of the cases we've seen where a nameserver doesn't know about itself have been broken in other ways ) > If you don't know any zone that a server is supposed to be serving, why > would you ever care if it has a DNS server on it or not? (Unless it is > supposed to be your local back end resolver I suppose, but I doubt that is > the case you're concerned with). One of the future projects is an ongoing reverification of delegations within our space. The caching of nameserver good/bad results is considered a good thing, and this caching was intended to be done in the above nserver->validate method. > So, just check if it serves the zone that you're being asked to delegate. After we redo the code, this is what we'll be doing. The nserver->validate() check will get reduced to seeing if the data supplied actually resolves as a hostname (or its a valid IPv{4,6} address). > itself, ...). The only real point in distinguishing is to give a better > reason to supply for refusing to do the delegation. Currently we reject on: non-authoritative SOA mismatches across supplied nameservers NS listing mismatches across supplied nameservers (both what they supply and whats in the actual zone file) Unfortunately, we don't have any tests to reliably produce: '*ERROR* Nameserver boggle.example.com appears to be running version bar of software foo. This is broken as it does not correctly implement feeping-creaturism #34693. Try again with better software.' ;) -- Bruce Campbell <bruce.campbell@apnic.net> +61-7-3367-0490 Systems Administrator APNIC
- Re: Should a nameserver know about itself? Mats Dufberg
- Should a nameserver know about itself? Bruce Campbell
- Re: Should a nameserver know about itself? Randy Bush
- Re: Should a nameserver know about itself? bert hubert
- Re: Should a nameserver know about itself? Nathan Jones
- Re: Should a nameserver know about itself? Mark.Andrews
- Re: Should a nameserver know about itself? Mark.Andrews
- Re: Should a nameserver know about itself? Bill Woodcock
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Mans Nilsson
- Re: Should a nameserver know about itself? Randy Bush
- Re: Should a nameserver know about itself? Mans Nilsson
- Re: Should a nameserver know about itself? Cathy Murphy
- Re: Should a nameserver know about itself? Cricket Liu
- Re: Should a nameserver know about itself? Kenneth Porter
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Cathy Murphy
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Bill Manning
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Olaf Kolkman
- Re: Should a nameserver know about itself? itojun
- Re: Should a nameserver know about itself? James Raftery
- Re: Should a nameserver know about itself? Shane Kerr
- Re: Should a nameserver know about itself? Cricket Liu
- Re: Should a nameserver know about itself? Bruce Campbell
- Re: Should a nameserver know about itself? Jim Reid
- Re: Should a nameserver know about itself? Mark.Andrews
- Re: Should a nameserver know about itself? Mats Dufberg
- Re: Should a nameserver know about itself? bert hubert
- Re: Should a nameserver know about itself? Jim Reid
- Re: Should a nameserver know about itself? Peter Koch
- Re: Should a nameserver know about itself? Peter Koch
- Re: Should a nameserver know about itself? Sam Trenholme
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Sam Trenholme
- Re: Should a nameserver know about itself? James Raftery
- Re: Should a nameserver know about itself? Bruce Campbell
- Re: Should a nameserver know about itself? Sam Trenholme
- Re: Should a nameserver know about itself? Mats Dufberg
- Re: Should a nameserver know about itself? Mans Nilsson
- Re: Should a nameserver know about itself? Jim Reid
- Re: Should a nameserver know about itself? Kenneth Porter
- Re: Should a nameserver know about itself? Mats Dufberg
- Checks performed during delegation. Bruce Campbell
- Re: Checks performed during delegation. Mats Dufberg
- Re: Should a nameserver know about itself? D. J. Bernstein
- Re: Should a nameserver know about itself? Shane Kerr
- Re: Should a nameserver know about itself? bert hubert
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Bruce Campbell
- Re: Should a nameserver know about itself? Bill Manning
- Re: Should a nameserver know about itself? D. J. Bernstein
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Robert Elz
- Re: Should a nameserver know about itself? Shane Kerr
- Re: Should a nameserver know about itself? Mark.Andrews
- Re: Should a nameserver know about itself? George Michaelson
- Re: Should a nameserver know about itself? Bruce Campbell
- Re: Should a nameserver know about itself? D. J. Bernstein
- Re: Should a nameserver know about itself? James Raftery
- Re: draft-durand-ngtrans-dns-issues-00.txt Jim Reid
- Re: draft-durand-ngtrans-dns-issues-00.txt Robert Elz