This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] Re: DNS lameness notifications

Previous message (by thread): [dns-wg] Re: DNS lameness notifications
Next message (by thread): [dns-wg] Re: DNS lameness notifications

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Doug Barton dougb at dougbarton.us
Tue Mar 10 05:02:21 CET 2009

Anand Buddhdev wrote:
> Gilles Massen wrote:
> 
> Hello Gilles,
> 
>> I was wondering if there is a detailed description of what and
>> how is tested in order to check the lameness of a server (i.e.
>> how are the names resolved, timeouts and retransmits of the
>> queries, checks made,....)? Any pointer would be welcome.
> 
> This is currently not documented.

It needs to be documented for at least 2 reasons that come immediately
to mind. First, it will allow operators to perform the same tests that
you(pl) are performing, thus hopefully catching problems before they
happen. Second, it will allow for peer review of the procedure. Given
that there are a non-trivial number of operators reporting that your
system is generating false positives, I think both of these goals are
relevant.

In an effort to be helpful (not critical) I will ask some questions
about the details you've left out below. Hopefully fleshing this
process out can help everyone involved.

> However, I can provide a quick explanation here.
> 
> The first phase of the lameness checks involves generating a
> canonical list of name servers for a zone.

How is this done? IOW, what sources are queried to generate the list?

> The process gathers all the name servers, and queries each name
> once for A and AAAA records, with a 3-second timeout.

What source is queried? If a query times out are other authoritative
sources for that name tried? I would say off hand that 3 seconds is
probably not long enough for a timeout, but it might be acceptable if
more than one source is tried (for example, if you're looking for the
address records for ns1.example.com and you try all of the name
servers for example.com).

> Once it has a complete list of zone and nameserver address pairs,

I think I know what you mean by this, but I'm not sure. Could you
please flesh this out?

> it queries each address for a SOA record for the zone, with a
> 3-second timeout. If a particular address yields no response, it is
> queued, and queried up to 4 more times at varying intervals.

That sounds a little more reasonable, although if it were me I would
double the timeout on each successive query.

hope this helps,

Doug

Previous message (by thread): [dns-wg] Re: DNS lameness notifications
Next message (by thread): [dns-wg] Re: DNS lameness notifications

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]