To:
"D. J. Bernstein" <djb@cr.yp.to>
cc:
dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Tue, 06 Feb 2001 20:16:40 +0700
In-reply-to:
Your message of "06 Feb 2001 00:09:12 GMT." <20010206000912.28897.qmail@cr.yp.to>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Bogus nic.fr behavior
Date: 6 Feb 2001 00:09:12 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
Message-ID: <20010206000912.28897.qmail@cr.yp.to>
| Servers (as opposed to caches) should not have root information unless
| they are root servers.
From where did this startling variation on accepted practice arrive?
All servers, when queried, should either return an answer (doing the
recursive thing if they want to, and that was requested in the query)
or should return a referral to a better server to ask. When no other
information is available, the root servers are the better server to
ask. This has been a part of DNS operations since day 1.
It doesn't matter whether you think the server in question should ever
have been sent the query or not.
| Caches will never ask for the information;
You mean a cache which is operating and configured properly won't.
| and there's a cost to copying the information and worrying about keeping it
| up to date. These are not new observations.
There is, and no, they're not. Fortunately most rational servers do
the trivial amount of work of finding the root servers and maintaining
that info. Considering what was supposed to be asked of servers in the
previous little debate (mostly on the ipng list) this amount of work is
in the positively trivial and absolutely easy category.
| Unfortunately, the .fr administrators won't delegate to servers that
| don't have the current root NS records and corresponding A records.
Sounds like an entirely reasonable policy to me, and perhaps one I should
consider adopting in AU as well. In general anything the DNS registrars can
do to help educate people as to what is sanely & properly configured, and
what is bogus (ie: to force them to learn, rather than just provide
information and hope) has to be a long term benefit for the net.
| This is not an isolated example. They also insist on TCP service even if
| you don't have any big records,
That's probably technically slightly too much (TCP support is just
a SHOULD I think), but in practice it is a good thing to check - your
average DNS administrator is never going to be able to work out when
they need TCP and when they don't (and a server implementation is very
unlikely to do so reliably either) - simply telling people to make sure
their servers support TCP and then verifying that is probably no bad thing.
Aside from anything else, I have seen cases where UDP DNS servers are
doing PMTU discovery, and then sending pre-fragmented responses, and then
brain-dead firewalls along the path are dropping the non-initial fragments.
Sometimes the only wat to get an answer from such a server is to use TCP
(then you just get smaller segments instead of fragments).
| and 1.0.0.127.in-addr.arpa PTR records,
Hosts Requirements says that supporting address to name translation
is a MUST for servers. Since 0.0.127.in-addr.arpa isn't delegated
anywhere, the only way a server can support a name to address translation
of 127.0.0.1 (which is a well known addres) is by being configured with
that particular PTR record.
| and various other server behaviors that are not relevant to DNS service.
The DNS service is more than just the protocols as strictly defined.
We now have quite a few years of operational experience as to what works,
and what does not = and what is needed to be configured and what is not.
| Where does this disease come from? Even if the .fr administrators are
| confused about how DNS works, why do they care what other servers do?
Part of the process of ensuring that the overall DNS (which affects all
of is) is healthy is to diagnose the problems early, and try and get them
fixed. One of the best ways to achieve that is to simply refuse to
delegate to servers that don't function correctly.
kre