To:
"Robert Elz" <kre@munnari.OZ.AU>
Cc:
<dnsop@cafax.se>
From:
"Stuart Kwan" <skwan@Exchange.Microsoft.com>
Date:
Tue, 23 May 2000 19:09:39 -0700
content-class:
urn:content-classes:message
Sender:
owner-dnsop@cafax.se
Thread-Index:
Ab/EfQUpl/LJcSuvSfygW77R4Fq3GQAp7gpA
Thread-Topic:
root server load and dynamic updates.
Subject:
RE: root server load and dynamic updates.
Title: RE: root server load and dynamic updates.
Once the client has found the nearest enclosing zone, it goes no higher. Therefore, I believe this condition is caused by clients configured with "bogus.com.au" (or other non-existent) domain names, where "com.au" (or other TLD) is the nearest enclosing zone. You should be able to verify this by looking at the names that clients are attempting to update, and seeing if they are bogus or not.
I don't think ISPs would agree to filtering & forwarding, since it limits the kind of service they can offer (ie. I would not be able to run my own independent recursive DNS server, because the ISP would be eating my recursion packets).
-----Original Message-----
From: Robert Elz [mailto:kre@munnari.OZ.AU]
Sent: Monday, May 22, 2000 11:10 PM
To: Stuart Kwan
Cc: dnsop@cafax.se
Subject: Re: root server load and dynamic updates.
Date: Fri, 19 May 2000 08:46:37 -0700
From: "Stuart Kwan" <skwan@Exchange.Microsoft.com>
Message-ID: <19398D273324D3118A2B0008C7E9A569067DF1C8@SIT.platinum.corp.microsoft.com>
Stuart, I'm confused by this part ...
| - To perform the update, the client finds the enclosing zone of the name
| of the relevant RRset
In general, what's being done (modulo whatever security issues arise)
seems like it ought to be fine ... but I don't understand how those of
us here who are noticing these queries and their affects are actually being
hit.
eg: I run the SOA.MNAME server for com.au (munnari.oz.au) and I see lots of
these update attempts in the com.au zone.
But that makes no sense - surely the client is going to be random.com.au
and should be finding the SOA.MNAME for random.com.au instead of for
com.au ?? How does it ever get that extra level up the tree? The same
would apply (even more so) to the .com servers where only NS type delegations
exist (there are a few A and MX only 'delegations' in com.au where the
nearest MNAME would be the one in com.au).
What is the mechanism that the clients are using that is directing them
to upper level servers?
Or is this only happening when someone configures their client as being
bogus.com.au (something which doesn't exist) where the client then discovers
com.au as the nearest enclosing domain?
Should we be encouraging ISPs to filter DNS traffic of their clients onto
the net, and require clients to use an ISP provided forwarder (which would
not forward any update requests) ? That isn't something I'd like to see,
but I don't like all these bogus update requests either.
kre