DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "Barber, Piet" <pbarber@verisign.com>
cc: dnsop@cafax.se
From: Bruce Campbell <bruce.campbell@ripe.net>
Date: Thu, 13 Mar 2003 10:51:42 +0100 (CET)
In-Reply-To: <3CD14E451751BD42BA48AAA50B07BAD604A64ABB@vsvapostal3.prod.netsol.com>
Sender: owner-dnsop@cafax.se
Subject: RE: "local" zones

On Tue, 11 Mar 2003, Barber, Piet wrote in reply to Daniel Senie:

> > How much damage would be caused by adding NS glue records to the root zone
> > for .local pointing at 127.0.0.1? Sites which misconfigure and allow
> > lookups for .local to leak out will be told to go ask themselves.
>
> There is a very-widely deployed breed of name servers out there (I will not
> name names) which behave very badly when any delegation is lame.  In this
> case, localhost/127.0.0.1 as the lone name server would be a lame
> delegation.

Ok, so we currently have a problem with an amount of 'escaping' query
traffic.  ( Note that K.root does not see the same scale as Kato-san's
report, but the problem is visible. ).

A 'cute' way to fix it, that satisfies the slightly clueful, is to
delegate the problem TLD (.local) to 'localhost'.  The more clueful note
that this will probably cause more traffic (lame delegations cause more
problems than you'd believe).

However, what are we trying to fix?  The fact that the traffic is reaching
the roots, or that the traffic is escaping from the local networks?

If the former, we could correctly delegate (ie, not a lame delegation)
'.local' somewhere other than the roots, and let that sink the traffic.
Or simply put a wildcard record in for '*.local. IN A 127.0.0.1' and let
each site figure out whats wrong.

If the latter, we probably want to focus on active education, naturally
combined with a bit of trickery to rub people's noses in their
misconfiguration.  ( Writing RFCs is fine, but until they know about the
problem, people aren't going to read an informative document )

For that I'd suggest delegating '.local.' to the anycasted AS112 project
(so you've got localised traffic sinks), and wildcard records within to a
website hosted on each AS112, to the effect of 'If you can read this, you
have misconfigured your nameserver and local zone setup.  Here are a few
tips to correct this' (etc).

-- 
                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B             Operations/Security

#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.

Follow-Ups:
- Re: "local" zones
  - From: Johan Ihren <johani@autonomica.se>

References:
- RE: "local" zones
  - From: "Barber, Piet" <pbarber@verisign.com>

Prev by Date: Re: "local" zones
Next by Date: RE: "local" zones
Prev by thread: RE: "local" zones
Next by thread: Re: "local" zones
Index(es):
- Date
- Thread

Home | Date list | Subject list