This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/

[dns-wg] Re: DNS lameness notifications

Previous message (by thread): [dns-wg] Re: DNS lameness notifications
Next message (by thread): [dns-wg] DNS lameness notifications

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Edward Lewis Ed.Lewis at neustar.biz
Tue Mar 10 14:36:46 CET 2009

At 0:36 +0100 3/10/09, Anand Buddhdev wrote:

>We are aware that around 1% of the servers we have in our list did not
>resolve to addresses, which resulted in these false positives. We are
>taking steps to ensure that we eliminate as many of these as possible in
>future probes.

Servers that cannot be reached are not "lame" per se.

The origin of the concern over lameness (excepting the desire for 
complete correctness by some) was in an old resolver implementation 
that didn't know that a referral to the root was an indication of 
lameness and not a referral to be followed.  When this old resolver 
queried a server without a response (including not finding an IP 
address for the server's domain name), it stopped asking and thus was 
not a problem.  When the resolver got a response and it was a 
referral to the root problems ensued.

In at least three RFCs lame servers are defined to be servers that 
are not authoritative for the zones they are thought to be 
authoritative for.  To detect that, the querier has to get a 
response.  So, for a server to be considered lame by a resolver 
(that's the "eye of the beholder" here), the server must have an IP 
address, be reachable, and respond.

For the lame testing I've written, I've always listed servers by IP 
address and not domain name.  That is because some registrants would 
list multiple NS records with different domains, all pointing to the 
same IP address.  In one instance, three NS records each pointed to 
three IP addresses, but all sets of the three IP addresses were 
identical.

That is:

    silly.example.     NS    ns1.silly.example.
    silly.example.     NS    ns2.silly.example.
    silly.example.     NS    ns1.silly.example.
    ns1.silly.example. AAAA  ::1
    ns1.silly.example. AAAA  ::2
    ns1.silly.example. AAAA  ::3
    ns2.silly.example. AAAA  ::1
    ns2.silly.example. AAAA  ::2
    ns2.silly.example. AAAA  ::3
    ns3.silly.example. AAAA  ::1
    ns3.silly.example. AAAA  ::2
    ns3.silly.example. AAAA  ::3

So, my recommendation when implementing a lame server test - stick to 
the IP addresses and test them.  If there is no IP address available, 
don't try to test - the problem may lie in the forward map, getting 
to the forward map, etc., and may just be too confusing to explain.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy, if you don't want much.

Previous message (by thread): [dns-wg] Re: DNS lameness notifications
Next message (by thread): [dns-wg] DNS lameness notifications

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]