Home page logo
/

nanog logo nanog mailing list archives

Re: AW: Odd policy question.
From: Joseph S D Yao <jsdy () center osis gov>
Date: Sat, 14 Jan 2006 23:58:01 -0500


On Sat, Jan 14, 2006 at 04:44:02PM -0500, Jeffrey I. Schiller wrote:
...
As an engineer, I believe we would need a protocol that would permit
someone to query an IP address to ask what DNS domains it may be an NS
for. A simple client server response protocol. Lack of a response would
mean "all are welcome here." Sort of the analogue of "robots.txt" for
webservers. Then if you wanted to disclaim a domain, you setup a server
and notify the registrar of the offending domain.

Now as a practical matter, I don't see this happening any time soon.
This is simply because this is a lot of mechanism for a problem that I
doubt many people have.
...


On Sat, Jan 14, 2006 at 05:06:20PM -0500, Jeffrey I. Schiller wrote:
...
Foolish me. Indeed all that is required is a way to detect that the
delegation is lame (hopefully in a secure fashion) and remove the lame
delegations. Of course that does leave the problem of what to do if all
of the delegations are lame, as Randy has alluded to.
...


If the intent of the first is to ask, for what zones are you
authoritative, with the return being a complete list, then:
(a) for many servers this would be a very long list, which may even
require TCP/53, which will break some who don't yet accept TCP/53 for
queries, which may be seen in the long run as a GOOD thing but in the
short run causes problems; and
(b) ISTM that a number of people don't WANT to announce every domain
that they may be hosting, which is their right, and which may be why
there is no such query to date.

If the intent of the first is to ask, here is a zone, are you
authoritative for it?  then just do the query.  If it is up and
authoritative, it will reply and say so.  If it is up and not
authoritative, it will either reply and say so, or not reply, depending
on its configuration.  If it is down, you need to try another server
anyway.  [Begs the question of what the DNS police do, but ...]

The second is a long-acknowledged problem more or less equivalent to the
immediately above.


-- 
Joe Yao
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]