To:
"Barber, Piet" <pbarber@verisign.com>
cc:
dnsop@cafax.se
From:
Bruce Campbell <bruce.campbell@ripe.net>
Date:
Thu, 13 Mar 2003 10:51:42 +0100 (CET)
In-Reply-To:
<3CD14E451751BD42BA48AAA50B07BAD604A64ABB@vsvapostal3.prod.netsol.com>
Sender:
owner-dnsop@cafax.se
Subject:
RE: "local" zones
On Tue, 11 Mar 2003, Barber, Piet wrote in reply to Daniel Senie: > > How much damage would be caused by adding NS glue records to the root zone > > for .local pointing at 127.0.0.1? Sites which misconfigure and allow > > lookups for .local to leak out will be told to go ask themselves. > > There is a very-widely deployed breed of name servers out there (I will not > name names) which behave very badly when any delegation is lame. In this > case, localhost/127.0.0.1 as the lone name server would be a lame > delegation. Ok, so we currently have a problem with an amount of 'escaping' query traffic. ( Note that K.root does not see the same scale as Kato-san's report, but the problem is visible. ). A 'cute' way to fix it, that satisfies the slightly clueful, is to delegate the problem TLD (.local) to 'localhost'. The more clueful note that this will probably cause more traffic (lame delegations cause more problems than you'd believe). However, what are we trying to fix? The fact that the traffic is reaching the roots, or that the traffic is escaping from the local networks? If the former, we could correctly delegate (ie, not a lame delegation) '.local' somewhere other than the roots, and let that sink the traffic. Or simply put a wildcard record in for '*.local. IN A 127.0.0.1' and let each site figure out whats wrong. If the latter, we probably want to focus on active education, naturally combined with a bit of trickery to rub people's noses in their misconfiguration. ( Writing RFCs is fine, but until they know about the problem, people aren't going to read an informative document ) For that I'd suggest delegating '.local.' to the anycasted AS112 project (so you've got localised traffic sinks), and wildcard records within to a website hosted on each AS112, to the effect of 'If you can read this, you have misconfigured your nameserver and local zone setup. Here are a few tips to correct this' (etc). -- Bruce Campbell RIPE Systems/Network Engineer NCC www.ripe.net - PGP562C8B1B Operations/Security #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.