[ppml] Comments on ARIN's reverse DNS mapping policy
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Sep 12 21:51:51 EDT 2007
there are some people who do this testing already ... we don't do the
email's any more, since ARIN came into existance... but we still run the
On Wed, Sep 12, 2007 at 11:58:32AM -0400, John Von Essen wrote:
> I agree.
> I have no sympathy for the response of "testing all these in-
> addr.arpa zones is too much work". Granted, we are only talking
> about /24 prefixes.
> The entire process can be easily automated, and that includes the SOA
> query testing to delegated DNS servers for an Org's address block,
> updating an internal tracking database, and even the process of
> emailing the Org's POC for DNS. The Org's that get emailed the
> warning could even be given a link to click when they have resolved
> the issue. That link would automatically re-check, and if SOA
> response is valid, would automatically remove them from the database
> of "delinquents".
> So for the Org's that fix things in a timely fashion following the
> automatic email - ARIN staff will never even have to get involved.
> Staff would only get involved with those Org's that dont respond to
> the initial emails.
> On Sep 12, 2007, at 11:24 AM, Brian Dickson wrote:
> >Randy Bush wrote:
> >>arin delegates 42.666.in-addr.arpa to the member isp. the servers
> >>properly respond for that delegation. this seems to be about as
> >>far as
> >>current policy goes; though there are reported gaps in
> >>the op wants us to say that, if the delegatee further delegates
> >>sub-zones, then the service for those sub-zones must not be lame.
> >>aside from issues of whether the community has the right to
> >>descend into
> >>the delegation, how would we text the sub-delegations? if they
> >>are on
> >>byte boundaries, we can probe for them. but goddesses help us if
> >>use rfc 2317. and is it our prerogative to probe 256 sub-
> >>delegations of
> >>a /16? 64k of a /8? and how many of a /32 in ipv6 space?
> >The "probing" is in fact, an exercise in tree-walking.
> >Writing a script to handle this should be within the capabilities of
> >ARIN, given the scope of other
> >tools they no doubt need to handle administration of address
> >The basic tree-walking should be limited to following delegations of
> >expected form (numeric subzones
> >within the expected ranges, either 0-1 or 0-255). Those are the only
> >sub-delegations "of interest",
> >i.e. which would otherwise have been directly delegated by ARIN.
> >Optimizations can be done, since the expectation is one of positive
> >responses to SOA queries.
> >Low timeouts may generate false negatives, but no false positives.
> >Re-testing false negatives with
> >longer timeouts, produces the true negatives.
> >The *main* question is, since in rfc 2317 the distance from ARIN in
> >delegations can be >2,
> >what should be done?
> >I think the classic "him or you" answer scales best. Arin requests the
> >delegatee to fix the subordinate,
> >or have their delegation pulled, with the recommendation that they use
> >the same tactic.
> >At the leaf, the broken delegatee must either fix the problem or
> >get pruned.
> >If the delegator does not prune a still-broken leaf, then *his*
> >delegator must do the same, or face
> >being pruned him/herself. Etc.
> >The responsibility with ARIN rests only in running test scripts, and
> >contacting direct delegatees.
> >All further communication is between third parties, within some set
> >I *think* this would be able to be codified in the NRPM, as well as
> >passing the scaling, sanity,
> >and legitimacy/legality tests.
> >Brian Dickson
> >You are receiving this message because you are subscribed to the
> >ARIN Public Policy
> >Mailing List (PPML at arin.net).
> >Unsubscribe or manage your mailing list subscription at:
> >http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN
> >Member Services
> >Help Desk at info at arin.net if you experience any issues.
> John Von Essen
> (800) 248-1736 ext 100
> john at quonix.net
> You are receiving this message because you are subscribed to the ARIN Public Policy
> Mailing List (PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
More information about the ARIN-PPML