<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFCC" text="#000000">
<br>
<div class="moz-cite-prefix">On 08/01/13 14:19, Timothe Litt wrote:<br>
</div>
<blockquote cite="mid:50EC1CFC.9000103@acm.org" type="cite">
<blockquote type="cite">1. Should ISC change the default logging
for lame servers to disabled?
<br>
</blockquote>
<br>
Well, since you asked: the lame server logging goes back to when
the internet was a small, collegial place and one wrote a quick
note to a friend to fix these issues. And people who accidentally
had a lame server were embarrassed. Those days, sadly, are gone.
<br>
<br>
The current logging only tells the victim why a query failed; it's
pretty much useless unless troubleshooting a persistent, impactful
problem. And at that point, it's easy enough to turn on for the
duration. So I'd vote for disabled - and the ability to enable for
resolution of queries to specific domains/nameservers via rndc for
troubleshooting.
<br>
<br>
What I think would be more useful is if named actually reported
the issues to where they'd do some good. Perhaps a DNS extension
"I got an invalid message from you" - so it shows up in the log of
the server (and administrator) with the problem. (I'd worry about
denial of service, though if the server is in fact lame, it's not
providing service - at least to that zone . Abuse of the
reporting mechanism is the main risk, and avoiding it would take
some careful engineering.)
<br>
</blockquote>
If you have a lame server my guess is that the logs of that server
are never looked at, rather the server is neglected completely,
forgotten. The place to talk to is the next level up, they should
probably stop referring to the lame server and might be the people
caring about whether their web site is reachable.<br>
It has been seen a number of times that, say 5 servers have been
delegated to and only 3 of those actually answer, the other 2 were
there for "historical reasons" (nobody knew why, so better not
change).<br>
<blockquote cite="mid:50EC1CFC.9000103@acm.org" type="cite">
<br>
Or, perhaps logged to a 'troubled' list of nameservers like the
email RBL blacklists. People don't like being on 'bad citizen'
lists, so if that list sent the whois registered technical contact
for the domain an e-mail once a week in addition to making the
list public... maybe some shame would work. But it's probably a
dream. And there'd be a lot of fingers pointed at client
firewalls...
<br>
<br>
Since choice 2 is out-of-band, it would be a lot easier to put in
place - if someone (ISC?) volunteered to host the list...
<br>
<br>
In general, logging is most useful when the data goes to someone
who can do something about it. Logging at the victim is useful
for isolating a problem - but if no-one is actually
troubleshooting (and won't), it's largely wasted.
<br>
<br>
DNSSEC is another area where issues need to be forwarded to the
source, not the victim.
<br>
<br>
That's my 3 cents.
<br>
</blockquote>
Up to a Dime.<br>
<blockquote cite="mid:50EC1CFC.9000103@acm.org" type="cite">
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</body>
</html>