HELP: Decomissioning a DNS anti-spam list

Ronald F. Guilmette rfg at monkeys.com
Sat Mar 20 23:45:07 UTC 2004 

In message <3464.1079746032 at gromit.rfc1035.com>, 
Jim Reid <jim at rfc1035.com> wrote:

>    Ronald> I have _very little_ bandwidth at my disposal, and now I
>    Ronald> need to reclaim that bandwidth for other purposes.  But
>    Ronald> these ongoing queries are sucking up more than half of the
>    Ronald> meager bandwidth that I have.
>
>Tough. You made your bed. Now you have to lie in it. If you start a
>some service, it's your responsibility/problem to provide sufficient
>resources to support the demand for that service.

Forever?

Gee!  I wish someone had warned me that when I registered a domain name,
I effectively enslaved not only myself, but also my children's children's
children to the service of that domain name!

In short, do you ever even think about what you are saying and/or the
implications thereof?  Do you realize how ridiculous what you just said
is?

I'm sorry, but I just don't happen to share your view that people should
be forever after enslaved to the subdomains they created, e.g. last year
or last millenium.

>    Ronald> *.relays.monkeys.com. IN NS localhost.monkeys.com.
>
>This won't work. I doubt if anyone understands what a wildcard NS
>record means.

My name server understood them just fine.  But that doesn't matter, because
you're right, that approache didn't work, and I am trying soething else now.

>    Ronald> So can anybody help me with this?  There has GOT to be
>    Ronald> some way of de- commissioning a zone such that further
>    Ronald> queries against the zone will not be a huge burden on _my_
>    Ronald> bandwidth.  I just need somebody to tell me what it is.
>
>Either get more bandwidth or bring in someone who has got enough
>bandwidth to host your DNS zones.

No thanks.  I have no interest in doing either.

But I'll keep you in mind, for the future, in case I ever need any more
sage advice about how I should be spending my money.

>    Ronald> Or is this impossible?  Is the design of the DNS protocol
>    Ronald> so ill-conceived as to make this kind of decomissioning
>    Ronald> impossible?
>
>The DNS is not ill-conceived.

Well, I am even more convinced now than I was when I asked that question
that it is.

There is no established mechanism or protocol in DNS to say ``This (sub-)
domain no longer exists.  Go away now, and don't ever ask me for any more
information about it, ever.''

You may not view that as  problem, but I do.

I tried to delegate my former anti-spam zones/subdomains off into oblivion,
but other name servers elsewhere seem to have completely ignored that
attempt.  My guess is that they ignored my attempts at delegating because
``oblivion'' (i.e. some non-answering IP address) failed to confirm that
yes, it _was_ now the authoritative name server for the zones that I have
been trying to decommission.

And other name servers elsewhere refused to just simply take my (glue
records?) word for it.  If they didn't get confirmation of who was
now authoritative from the non-ansering addresses that I had tried to
NS the zones to, then they would all just keep on coming back and asking
_my_ name server for info... which was the whole bleedin' problem.

>You can't do anything to stop the rest of the internet making queries
>for these domain names.

I wouldn't mind if they only queried once a week per zone.  That would
be OK.

As of an hour ago however, a lot of other name servers elsewhere were
querying these ``dead'' zones about once every 50 milliseconds or so.
And that was quite an annoyance.

I have changed things now so that hopefully, those other name servers
will only make one query per week per IP address that they want to
query about, but even that is rather less than optimal.  Better would
be if I could say to them  ``Here is a generic answer for EVERY query
that you want to make about ANYTHING and EVERYTHING in this zone, and
oh!  By the way, this generic answer itself has a 1 week TTL.)


>You could "delegate" relays.monkeys.com to localhost.monkeys.com. ie:
>
>	relays.monkeys.com.	2592000 IN NS localhost.monkeys.com.
>	localhost.monkeys.com.	2592000 IN A  127.0.0.1

Been there, done that.  It didn't help.

>You've painfully learned an important lesson. Domain names last
>forever. They live in places like search engine databases, browser
>bookmarks, address books, stationery, software configurations and so
>on long after the names are supposed to have died.

That's all true, and yes, there's no real way to totally expunge all
mentions of a given (sub-)domain name from the whole Internet.  However
given that THAT problem exists, and is unavoidable, the real problem is
that the DNS has no way... clean or otherwise... of decomissioning
domains and/or sub-domains (or zones or sub-zones) in a way that mini-
mizes further queries against those domains or zones.

Another way of saying this is that DNS ``wildcard'' records are never
themselves transmitted over the wire.  They are just a convenient sort
of notation that gets interpreted on the local name server ONLY.  In
other words, if I have:

	*.relays.monkeys.com.	IN	A	127.0.0.2

in my local zone files, and if some other specific name server elsewhere
wants to know about both:

	87.43.122.128.proxies.relays.monkeys.com
and:
	101.7.35.201.proxies.relays.monkeys.com

then that other (remote) name server will necessarily have to send me _two_
separate queries and it will have to receive back (and separately cache)
_two_ different answers from my name server (for the two different queries).

If the actual wildcard record itself could go over the wire, then the
mulitple queries and responses in a case like this could be collapsed
into one, and it would then be one hell of a lot easier to decommission
old (sub-)domains and/or old zones.

More information about the bind-users mailing list