Re: [DNSOP] Re: AS112 for TLDs
* Mark Andrews: It's been done. IT DOES NOT WORK. named has code to prevent the records being added because IT DOES NOT WORK and we got sick and tired of telling people who ran up against sites that did it that IT DOES NOT WORK. The seem to work reasonably well for some purposes: ; DiG 9.4.2 @ns1.sedoparking.com. . any ; (3 servers found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 13633 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;. IN ANY ;; ANSWER SECTION: . 86400 IN NS ns2.sedoparking.com. . 600 IN A 82.98.86.179 . 86400 IN NS ns1.sedoparking.com. . 86400 IN SOA ns1.sedoparking.com. hostmaster.sedo.de. 2007021501 86400 7200 604800 86400 ;; Query time: 173 msec ;; SERVER: 74.208.13.27#53(74.208.13.27) ;; WHEN: Fri Dec 28 23:39:19 2007 ;; MSG SIZE rcvd: 138 ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
[DNSOP] Re: AS112 for TLDs
On Tue, Dec 04, 2007 at 10:04:21PM -0500, William F. Maton Sotomayor [EMAIL PROTECTED] wrote a message of 31 lines which said: I'd be happy to write-up an ID describing the problem and proposing AS112 as a potential solution - +1 :-) Testing the waters a bit over delegations, I was told in the hallway that getting a junk TLD delegation is far harder than compared to a reverse map. Probably for ICANN political reasons. That's irrational but the problem exists. ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
[DNSOP] Re: AS112 for TLDs
On Wed, Dec 05, 2007 at 02:28:53AM +0100, Mohsen Souissi [EMAIL PROTECTED] wrote a message of 25 lines which said: OK for the first querie, but as the referal to AS112 NS's will lead to a lame delegation If the AS112 servers' configuration is not modified. But if they have some sort of wildcard themselves? (I do not think it can be done with BIND but it is possible.) ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
Mark Andrews wrote: It's been done. IT DOES NOT WORK. named has code to prevent the records being added because IT DOES NOT WORK and we got sick and tired of telling people who ran up against sites that did it that IT DOES NOT WORK. It's better to prevent than to spend repeated amounts of time dealing with the repercussions. Can't we make it work? I appreciate your honesty. But there are other dns packages that do allow it. I'm looking for the flexibility to extra-zone so i can manage root traffic in bind. Its obvious root get bugus traffic - i advocate a traffic can to send those bogus tlds too. I would love an AS112 stop sign. That also eliinate the legal liability to me as a commercial operator of root. It's easy to remove the checks but then you need to make sure all clients will work with the resultant mess. It already is a mess. has been for years. What we are doing is fixing the mess using AS112. I know alot of root operators who would welcome that friendly terminator for wayward traffic. But I need bind to terminate *. NS. I feel sorry it does not. *. NS will result in lookups for non-existant labels return NODATA rather than NXDOMAIN. This is a BAD change. Lots of sites depend upon NXDOMAIN being returned. The AS112 delegations return NXDOMAIN for almost all queries directed to them as they are the result of gethostbyname(). The times when they don't but those are when the client is searching for the containing zone and expect to get the other types of response. The queries to the root at a mixture of single and multi-label queries. All the single lable queries (unqualified hostname for example) will get a DIFFERENT rcode as a result of this change. This does not if the AS112 usage model. Wildcard is defined for intra-zone use. It is not defined for extra-zone use. Lets define it. Just call it experimental. or something convenient. i think its needed for root services. I am told it works under Dr. Bernstein's named daemon. I still have not tested that myself. But will eventually. I pray it is the case. Any root operator would welcome a trash can for bogus traffic. and its christmas time. what a wonderful gift. regards joe baptista -- Joe Baptistawww.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (202) 517-1593 Fax: +1 (509) 479-0084 --000503020107010809040908 Content-Type: text/x-vcard; charset=utf-8; name=baptista.vcf Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=baptista.vcf begin:vcard fn:Joe Baptista n:Baptista;Joe org:PublicRoot Consortium adr:;;963 Ford Street;Peterborough;Ontario;K9J 5V5 ;Canada email;internet:[EMAIL PROTECTED] title:PublicRoot Representative tel;fax:+1 (509) 479-0084 tel;cell:+1 (416) 912-6551 x-mozilla-html:FALSE url:http://www.publicroot.org version:2.1 end:vcard --000503020107010809040908 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop --000503020107010809040908-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
At 11:40 -0500 12/5/07, Joe Baptista wrote: experiment. I have found some servers that do *. NS - or so i'm told... ftp://ftp.rfc-editor.org/in-notes/rfc4592.txt See sections 4.2 and 4.2.1. for comments on this idea. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar Think glocally. Act confused. ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
[EMAIL PROTECTED] (Joe Baptista) writes: No it can't be done with BIND. Very lame. It would be a big asset to root technology of the entire *. wildcard TLD label could be pointed to AS112. AS112 is truly the blackhole of this universe we call the internet. AS112 - the internet garbage can. I support using AS112 for that. Great way to reduce the error traffic at root-servers.net. wildcards can't be cname's or ns's. (of the many important reasons why the suggestion is terrible, that's the first/simplest that comes to mind.) -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
This is a multi-part message in MIME format. --070503020104070709050909 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mark Andrews wrote: Actually no. That is not correct. I did some experimentation using BIND 8 and 9 as root servers. BIND 8 does not support *. CNAME some.host.name. Actually all versions of BIND support * CNAME. Sorry - your right - its DNAME it does not do. But BIND 9 does. I know it sounds terrible to you but I think the RFC is flexible on that. Your the expert - you look into it. So it would be so nice if I could under BIND 9 do: *. NS some.host.name. Wildcard matching has the wrong semantics (1 vs many labels) for NS records. Even if the semantics where addressed you then have to set up nameservers to do wildcard processing while looking for the relevent zone. This implies having a copy of the parent zone so you can know what query names don't match the wildcard. Ya I know. Thats the whole point behind what i'm advocating for AS112. Those are the servers I would wildcard too. At least i would like to run the experiment. I have found some servers that do *. NS - or so i'm told by their support tech community. But not BIND. BIND should be flexible and allow that. It's been done. IT DOES NOT WORK. named has code to prevent the records being added because IT DOES NOT WORK and we got sick and tired of telling people who ran up against sites that did it that IT DOES NOT WORK. It's better to prevent than to spend repeated amounts of time dealing with the repercussions. It's easy to remove the checks but then you need to make sure all clients will work with the resultant mess. Wildcard is defined for intra-zone use. It is not defined for extra-zone use. Mark regards joe baptista -- Joe Baptistawww.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (202) 517-1593 Fax: +1 (509) 479-0084 --070503020104070709050909 Content-Type: text/x-vcard; charset=utf-8; name=baptista.vcf Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=baptista.vcf begin:vcard fn:Joe Baptista n:Baptista;Joe org:PublicRoot Consortium adr:;;963 Ford Street;Peterborough;Ontario;K9J 5V5 ;Canada email;internet:[EMAIL PROTECTED] title:PublicRoot Representative tel;fax:+1 (509) 479-0084 tel;cell:+1 (416) 912-6551 x-mozilla-html:FALSE url:http://www.publicroot.org version:2.1 end:vcard --070503020104070709050909-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
Stephane Bortzmeyer wrote: On Wed, Dec 05, 2007 at 02:28:53AM +0100, Mohsen Souissi [EMAIL PROTECTED] wrote a message of 25 lines which said: OK for the first querie, but as the referal to AS112 NS's will lead to a lame delegation If the AS112 servers' configuration is not modified. But if they have some sort of wildcard themselves? (I do not think it can be done with BIND but it is possible.) No it can't be done with BIND. Very lame. It would be a big asset to root technology of the entire *. wildcard TLD label could be pointed to AS112. AS112 is truly the blackhole of this universe we call the internet. AS112 - the internet garbage can. I support using AS112 for that. Great way to reduce the error traffic at root-servers.net. regards joe baptista -- Joe Baptistawww.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (202) 517-1593 Fax: +1 (509) 479-0084 begin:vcard fn:Joe Baptista n:Baptista;Joe org:PublicRoot Consortium adr:;;963 Ford Street;Peterborough;Ontario;K9J 5V5 ;Canada email;internet:[EMAIL PROTECTED] title:PublicRoot Representative tel;fax:+1 (509) 479-0084 tel;cell:+1 (416) 912-6551 x-mozilla-html:FALSE url:http://www.publicroot.org version:2.1 end:vcard ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
Mark Andrews wrote: Actually no. That is not correct. I did some experimentation using BIND 8 and 9 as root servers. BIND 8 does not support *. CNAME some.host.name. Actually all versions of BIND support * CNAME. Sorry - your right - its DNAME it does not do. But BIND 9 does. I know it sounds terrible to you but I think the RFC is flexible on that. Your the expert - you look into it. So it would be so nice if I could under BIND 9 do: *. NS some.host.name. Wildcard matching has the wrong semantics (1 vs many labels) for NS records. Even if the semantics where addressed you then have to set up nameservers to do wildcard processing while looking for the relevent zone. This implies having a copy of the parent zone so you can know what query names don't match the wildcard. Ya I know. Thats the whole point behind what i'm advocating for AS112. Those are the servers I would wildcard too. At least i would like to run the experiment. I have found some servers that do *. NS - or so i'm told by their support tech community. But not BIND. BIND should be flexible and allow that. regards joe baptista -- Joe Baptistawww.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (202) 517-1593 Fax: +1 (509) 479-0084 begin:vcard fn:Joe Baptista n:Baptista;Joe org:PublicRoot Consortium adr:;;963 Ford Street;Peterborough;Ontario;K9J 5V5 ;Canada email;internet:[EMAIL PROTECTED] title:PublicRoot Representative tel;fax:+1 (509) 479-0084 tel;cell:+1 (416) 912-6551 x-mozilla-html:FALSE url:http://www.publicroot.org version:2.1 end:vcard ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
This is a multi-part message in MIME format. --020009050009010201030606 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Paul Vixie wrote: [EMAIL PROTECTED] (Joe Baptista) writes: No it can't be done with BIND. Very lame. It would be a big asset to root technology of the entire *. wildcard TLD label could be pointed to AS112. AS112 is truly the blackhole of this universe we call the internet. AS112 - the internet garbage can. I support using AS112 for that. Great way to reduce the error traffic at root-servers.net. wildcards can't be cname's or ns's. (of the many important reasons why the suggestion is terrible, that's the first/simplest that comes to mind.) Actually no. That is not correct. I did some experimentation using BIND 8 and 9 as root servers. BIND 8 does not support *. CNAME some.host.name. Actually all versions of BIND support * CNAME. But BIND 9 does. I know it sounds terrible to you but I think the RFC is flexible on that. Your the expert - you look into it. So it would be so nice if I could under BIND 9 do: *. NS some.host.name. Wildcard matching has the wrong semantics (1 vs many labels) for NS records. Even if the semantics where addressed you then have to set up nameservers to do wildcard processing while looking for the relevent zone. This implies having a copy of the parent zone so you can know what query names don't match the wildcard. Paul - make it so. It would really cut down on root traffic and we could use AS112 as the garbage can of bin bucket heaven. Be a sport - push the buttons and make it so. Additionally the root server operators arn't worries about the traffic volume. The in-addr.arpa server operators were worried. As a end user you should worry about information leaking but that can be addressed by having a local copy of the root zone. There are other issues end users should also worry about which are also covered by having a local copy of the root zone. Mark regards joe baptista P.S. Alot of servers already wildcard *. NS back to the IANA servers. -- Joe Baptistawww.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (202) 517-1593 Fax: +1 (509) 479-0084 --020009050009010201030606 Content-Type: text/x-vcard; charset=utf-8; name=baptista.vcf Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=baptista.vcf begin:vcard fn:Joe Baptista n:Baptista;Joe org:PublicRoot Consortium adr:;;963 Ford Street;Peterborough;Ontario;K9J 5V5 ;Canada email;internet:[EMAIL PROTECTED] title:PublicRoot Representative tel;fax:+1 (509) 479-0084 tel;cell:+1 (416) 912-6551 x-mozilla-html:FALSE url:http://www.publicroot.org version:2.1 end:vcard --020009050009010201030606 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop --020009050009010201030606-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
This is a multi-part message in MIME format. --080203070704010404050306 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Stephane Bortzmeyer wrote: On Wed, Dec 05, 2007 at 02:28:53AM +0100, Mohsen Souissi [EMAIL PROTECTED] wrote a message of 25 lines which said: OK for the first querie, but as the referal to AS112 NS's will lead to a lame delegation If the AS112 servers' configuration is not modified. But if they have some sort of wildcard themselves? (I do not think it can be done with BIND but it is possible.) No it can't be done with BIND. Very lame. It would be a big asset to root technology of the entire *. wildcard TLD label could be pointed to AS112. AS112 is truly the blackhole of this universe we call the internet. AS112 - the internet garbage can. I support using AS112 for that. Great way to reduce the error traffic at root-servers.net. regards joe baptista This discussion is getting more ridiculous by the message. Mark -- Joe Baptistawww.publicroot.org PublicRoot Consortium The future of the Internet is Open, Transparent, Inclusive, Representative Accountable to the Internet community @large. Office: +1 (202) 517-1593 Fax: +1 (509) 479-0084 --080203070704010404050306 Content-Type: text/x-vcard; charset=utf-8; name=baptista.vcf Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=baptista.vcf begin:vcard fn:Joe Baptista n:Baptista;Joe org:PublicRoot Consortium adr:;;963 Ford Street;Peterborough;Ontario;K9J 5V5 ;Canada email;internet:[EMAIL PROTECTED] title:PublicRoot Representative tel;fax:+1 (509) 479-0084 tel;cell:+1 (416) 912-6551 x-mozilla-html:FALSE url:http://www.publicroot.org version:2.1 end:vcard --080203070704010404050306 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop --080203070704010404050306-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
[DNSOP] Re: AS112 for TLDs
On Tue, 4 Dec 2007, Stephane Bortzmeyer wrote: IMHO, it (this determination) could be outsourced to the root name servers operators. The distribution of these broken domain names is exponential with a fast decay. So, even adding only the first two or three would handle most of the problem. Since AS112 is part of the Root Server Technical Operations Assn, then getting the root server operators to provide feedback to AS112 (and I guess someone arranging for the delegation thereof) of what junk zones need to be dealt with makes sense. I don't know if this needs to be formalized in an expanded draft of the current ops document, or not (I think the floor is open on that one for comments). wfms ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Re: AS112 for TLDs
On Wed, 5 Dec 2007, Mark Andrews wrote: Since AS112 is part of the Root Server Technical Operations Assn, then getting the root server operators to provide feedback to AS112 (and I guess someone arranging for the delegation thereof) of what junk zones need to be dealt with makes sense. I don't know if this needs to be formalized in an expanded draft of the current ops document, or not (I think the floor is open on that one for comments). This is using a hammer as a screwdriver. :-) then let's leave these alone for wglc. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] wfms ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop