[191460] in North American Network Operators' Group
Re: QWEST.NET can you fix your nameservers
daemon@ATHENA.MIT.EDU (Eric Tykwinski)
Thu Sep 15 19:39:58 2016
X-Original-To: nanog@nanog.org
From: Eric Tykwinski <eric-list@truenet.com>
Date: Thu, 15 Sep 2016 19:39:45 -0400
To: nanog list <nanog@nanog.org>
In-Reply-To: <20160915233057.3671554564B6@rock.dv.isc.org>
Errors-To: nanog-bounces@nanog.org
Ironically, I always wondered why I was told not to publish SPF =
records, since it did make more sense to have both, and slowly remove =
the TXT records later. Thanks for the heads up=E2=80=A6
What do you think really is best practice now?
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
> On Sep 15, 2016, at 7:30 PM, Mark Andrews <marka@isc.org> wrote:
>=20
> So your helpdesks don't get problem reports when people can't look
> up domain names? Recursive DNS vendors don't get bug reports when
> domain names can't be looked up. We don't get fixes developed
> because there are too many broken servers out there.
>=20
> Because some servers don't answer EDNS requests this leads to false
> positives on servers not support EDNS when they do. This in turn
> leads to DNSSEC validation failures as you don't get DNSSEC answers
> without EDNS.
>=20
> IPv6 deployment was put back years because AAAA DNS lookups got
> wrong answers.
>=20
> DANE deployment is slow because DNS servers give bad answers to
> _<port>._tcp.<server-name>/TLSA.
>=20
> Then there is SPF. A fare portion of the reason why the SPF record
> failed, despite it being architectually cleaner than using TXT
> records, is that some nameservers gave bad responses to SPF queries.
>=20
> I could go find more examples of the cost of non DNS protocol
> compliance.
> --=20
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org =
<mailto:marka@isc.org>
