[ppml] Policy Proposal: Modification to Reverse Mapping Policy
Edward Lewis
Ed.Lewis at neustar.biz
Wed Sep 12 14:52:49 EDT 2007
Overall I like the idea, but to give an idea of how much of a pain it
is to cover this in policy, here is my first pass for nits. (Keep in
mind I've written lame delegation test code before and have seen all
of the "weird" cases.)
I would rather take what we (=community that came to consensus on
proposals) have, request a review of the tools ARIN (=staff) is using
to implement 2002-1 and 2003-5 and see where the tools are deemed to
be insufficient by the community.
>START NEW Section
>
>7. Reverse Mapping
>
>7.1. Maintaining IN-ADDRs
>
>All ISPs receiving one or more distinct /16 CIDR blocks of IP addresses
>from ARIN will be responsible for maintaining all IN- ADDR.ARPA domain
>records for their respective customers. For blocks smaller than /16, and
>for the segment of larger blocks which start or end with a CIDR prefix
>longer than /16, ARIN can maintain IN-ADDRs through the use of the SWIP
>(Reallocate and Reassign) templates or the Netmod template for /24 and
>shorter prefixes.
Not all of the delegations from ARIN published zones are to
"customers" of ARIN. Because of the Early Registration Transfers
about 5 years ago, some of the delegations are for registrants of
APNIC, RIPE, et.al. We will have to keep this in mind when it comes
to trying to contact the registrant to report a detected problem.
>7.2 Definitions
>
>7.2.1 Lame Delegation
>
>A delegation is defined as being lame if all of the in-addr.arpa zones
>for a given name server of a specific network registration are lame. An
>in- addr.arpa zone is defined as lame when ARIN requests the SOA record
>from the name server registered in whois, but does not receive an answer.
A delegation in DNS terminology is the subsetting of the name space
and yielding it to another authority and is indicated by the set of
name servers where the subsetted name space can be found. In the
field of DNS, we have never grouped all of the NS records with common
"RHS (right hand sides)" to make a set of zones delegated to the RHS,
and from this declare the "delegation" to be lame.
For a network with 4 zones, using one implementation of DNS, and only
configuring 3 zones, if you ask the name server in the NS record for
the SOA of the 3 working zones, you get good answers. For the fourth
you will get no response, making it appear that there was a network
error. It would not be proper to call the delegation to the name
server "lame" (sic).
The mapping is "network"->"zone"->"domain name"->"IP address". A
network (e.g., a /19) will beget 32 /24 zones. Each of the 32 zones
will inherit the, say, 3 name servers registered to the network.
Those 3 name servers may each have multiple addresses - IPv4 and/or
IPv6 - so there may be 4 IP addresses to try. Further, if there is
anycast there could be many name servers to test for a given network.
What if the only server for a network is one that is anycasting
locally to the site from which testing is done? (I'm pointing this
out to give a taste of how much you see from the trenches.)
Requesting an SOA and failing to receive and answer is a very
inaccurate characterization of lameness (sic). (Please, don't
redefine terms, in the DNS context, lame already has a, ok a few,
IETF documented definitions.) I'll lay aside the call to use a
different term for "broken."
The following would also be "broken" - non-recursive query for T=SOA
and getting back anything other than the appropriate SOA alone in the
Answer Section (ANCOUNT=1) with the Authoritative Answer (aa) bit set
to 1. That covers the use of recursive servers to look like they
slave the zone.
>7.2.2 Partially Lame Delegation
>
>A delegation is defined as being partially lame if at least one in-
>addr.arpa zone for a given name server of a specific network
>registration is lame. An in- addr.arpa zone is defined as lame when ARIN
>requests the SOA record from the name server registered in whois, but
>does not receive an answer.
There will be many cases where for a network, one server will be
broken at any moment in time. But this is an inaccurate
characterization of the problem.
>7.3. Handling of Lame and Partially Lame Delegations in IN-ADDR.ARPA
>
>ARIN will actively identify lame and partially lame DNS name server
>(s) for reverse address delegations associated with address blocks
>allocated, assigned or administered by ARIN. Upon identification of a
>lame or partially lame delegation, ARIN shall attempt to contact the POC
>for that resource and resolve the issue. If, following due diligence,
>ARIN is unable to resolve the lame or partially lame delegation, ARIN
>will update the WHOIS database records resulting in the removal of lame
>or partially lame DNS servers. ARIN's actions in resolving lame and
>partially lame delegations is governed by the procedures set forth in
>(Lame-Ref).
I would rephrase this as something like this: ARIN will actively
monitor DNS delegations from it's DNS servers to ARIN registrants and
inform registrants of malfunctioning servers . (Insert time and
retry parameters here). If a registered name server for a network
object is found to be unsuitably operating, it will be removed from
the network object's definition in the database.
The important point is to make the policy specify an action ARIN can
easily take - that is the removal of the name server. (Hey, it
wasn't working anyway!) But note "suitably" because it could be the
case that the name server answers to it's selected population of
clients and the ARIN tester but to no one else in the Internet,
thanks to ACLs.
>7.4 References
>
>(Lame-Ref) "Lame Delegations In IN-ADDR.ARPA", http://www.arin.net/
>reference/lame_delegations.html
>and some do not. Even if only one /24 in-addr.arpa reverse tests comes
>back as lame, it is my opinion that this still taints the reputation of
>entire network registration. IPs belonging to that lame in-addr.arpa
I don't want ARIN to make judgements about "reputation."
>zone will cause query timeouts to 3rd party dns resolvers, both public
>and private. These excessive timeouts in my opinion can harm the overall
>well-being of reverse dns functionality throughout the internet. The
>only way to prevent such harm is for ARIN to not delegate reverse
>authority to the so-called partially lame dns server as registered in
>whois. That is the purpose of this policy proposal, to consider partial
>lameness with the same prejudice as traditionally defined lameness.
>Org's who are partially lame should be contacted by ARIN and lame
>in-addr.arpa zones should be resolved as the procedures per
>"http://www.arin.net/reference/ lame_delegations.html" dictate.
I have a hard time following the rest of the rationale. What I can
buy is asking ARIN to suspend/remove a name server if it's inclusion
in the DNS causes sustained negative operational consequences. This
is limited to the zone involved (not the network), as that is the
extent of the DNS "damage."
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Think glocally. Act confused.
More information about the ARIN-PPML
mailing list