Everybody Resolves this Domain but Us.

Simon Waters Simon at wretched.demon.co.uk
Sat Jul 20 16:32:52 UTC 2002 

Chris Davis wrote:
> 
> This is the exact same problem I had with the IP address NS RDATA discussed
> on this list in the last few days.  Bad NS RDATA is passed with an answer.
> If you cache it, you look to be the broken one.
> 
> How much money and time needs to be expended on a problem before the
> software should prevent it?

Quite a lot of people use more NS records at the child level
than they register with the parent, I think this is a far bigger
problem, as they often don't understand the lack of redundancy.
At least one of the organisations bidding for the ".ORG" domain
own domain was hanging onto the net by a single DNS server.

So perhaps when we all have signed zones the parents will be
able to safely drag the data from children (ala stub zones),
then when an admin gets it wrong his entire zone will break
completely, rather than just for the second query from anywhere,
and he will need to fix it.

I think the problem with a direct software fix is you create a
chicken an egg situation, I can't load this zone as the name
servers for it aren't working, but I need to load the zone in
order for them to get a copy. We've already discussed that
throwing the apparently wrong data away just creates more work
for the servers which are correctly configured.

Of course for domains with incorrect NS records, it rapidly
becomes apparent that something is wrong, so mostly it is only
the quiet back waters of the net that have completely broken
delegation, the busy sites soon gets complaints.

Far more practical is to ask "why don't admins check their
delegation", I find delegation information on the "UK" second
level domains is changed to be incorrect every couple of months,
so DNS monitoring is vital in my opinion for both functionality
and security reasons.

Anyway the only DNS problem that I hit this week in my own
surfing is that PSI.NET name servers are all on the same network
(AS147), so they Microsoft'ed me. How many times do we need to
have this problem before people take it seriously? Perhaps we
ought to modify BIND such that it checks at least one name
server is on a separate AS number, that would sort out the men
from the mice ;)

More information about the bind-users mailing list