[ppml] Comments on ARIN's reverse DNS mapping policy
briand at ca.afilias.info
Wed Sep 12 11:24:08 EDT 2007
Randy Bush wrote:
> arin delegates 42.666.in-addr.arpa to the member isp. the servers
> properly respond for that delegation. this seems to be about as far as
> current policy goes; though there are reported gaps in implementation.
> the op wants us to say that, if the delegatee further delegates
> sub-zones, then the service for those sub-zones must not be lame.
> aside from issues of whether the community has the right to descend into
> the delegation, how would we text the sub-delegations? if they are on
> byte boundaries, we can probe for them. but goddesses help us if they
> use rfc 2317. and is it our prerogative to probe 256 sub-delegations of
> a /16? 64k of a /8? and how many of a /32 in ipv6 space?
The "probing" is in fact, an exercise in tree-walking.
Writing a script to handle this should be within the capabilities of
ARIN, given the scope of other
tools they no doubt need to handle administration of address assignments.
The basic tree-walking should be limited to following delegations of
expected form (numeric subzones
within the expected ranges, either 0-1 or 0-255). Those are the only
sub-delegations "of interest",
i.e. which would otherwise have been directly delegated by ARIN.
Optimizations can be done, since the expectation is one of positive
responses to SOA queries.
Low timeouts may generate false negatives, but no false positives.
Re-testing false negatives with
longer timeouts, produces the true negatives.
The *main* question is, since in rfc 2317 the distance from ARIN in
delegations can be >2,
what should be done?
I think the classic "him or you" answer scales best. Arin requests the
delegatee to fix the subordinate,
or have their delegation pulled, with the recommendation that they use
the same tactic.
At the leaf, the broken delegatee must either fix the problem or get pruned.
If the delegator does not prune a still-broken leaf, then *his*
delegator must do the same, or face
being pruned him/herself. Etc.
The responsibility with ARIN rests only in running test scripts, and
contacting direct delegatees.
All further communication is between third parties, within some set time
I *think* this would be able to be codified in the NRPM, as well as
passing the scaling, sanity,
and legitimacy/legality tests.
More information about the ARIN-PPML