Lame Delegations

Bruce Campbell bruce.campbell at ripe.net
Wed Jan 16 05:57:27 EST 2002


On Wed, 16 Jan 2002 bmanning at vacation.karoshi.com wrote:

>  find this uncomfortable for a couple of reasons:
>
> 	the Internet is increasingly abandoning the e2e model. what
> 	presumptions are you making that your monitoring machine will
> 	not be blocked by firewalls or that the prefix will even be
> 	carried to everywhere on the net? (this is the in-addr.arpa
> 	zone your are talking about, not just the data in the arin region)

Hrm.  I interpreted the proposal as only pertaining to data held by ARIN
that is in the in-addr.arpa zone.. so ARIN would happily check the APNIC
and RIPE nameservers for these non-ARIN RIR delegations, and would not
proceed down that tree further.

One would assume that if an infrastructure zone (in-addr.arpa) has a
delegation to a given set of nameservers, that said nameservers would:

	*) Not be behind a firewall that blocks DNS queries to zones that
	   it is authoritative for
	*) Be reachable from most places.

On the first point, for an organisation to put its listed nameserver(s)
behind a firewall that blocks ad-hoc DNS queries for the zone that has
been delegated to it would imply that they do not know what they are
doing.  Hence, ARIN is proposing to notify said networks, at which point
one hopes that the organisation in question will reconfigure their
firewall.

On the second point, some nameservers would undoubtedly be unreachable
from a single point on the Internet.  Based on observations when I ran
through all the APNIC delegations many moons ago, such a state is not
permanent ie, all nameservers that APNIC delegated to were reachable at
various times over 3 days.  ARIN may of course have a different experience
(although I doubt it, as the Internet in Asia-Pacific is generally more
flakey than the Internet in the ARIN region).

Having suggested a project like this whilst @APNIC, I'm pleased to see
that it is being undertaken by someone ;).

Regards,


--
                             Bruce Campbell                            RIPE
                ( Formerly Senior Systems )                             NCC
                (   Administrator - APNIC )                      Operations





More information about the Dbwg mailing list