[194146] in North American Network Operators' Group
Re: [NOC] ARIN contact needed: something bad happens with legacy IPv4
daemon@ATHENA.MIT.EDU (John Curran)
Sat Mar 18 23:58:29 2017
X-Original-To: nanog@nanog.org
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
From: John Curran <jcurran@istaff.org>
Date: Sat, 18 Mar 2017 23:58:06 -0400
In-Reply-To: <9f95009a-1351-8cdd-75d5-ff98fd9c1695@dougbarton.us>
To: Doug Barton <dougb@dougbarton.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On 18 Mar 2017, at 9:58 PM, Doug Barton <dougb@dougbarton.us> wrote:
>=20
> My eyebrows reacted to this the same way Bill's did. It sounds like =
this is at least a semi-automated system. Such things should have sanity =
checks on the receiving side when told to remove large gobs of data, =
even if the instructions validate correctly.
>=20
> More fundamentally, according to the RIPE report they are sending you =
something called "zonelets" which you then process into actual DNS data. =
Can you say something about the relative merit of this system, vs. =
simply delegating the right zones to the right parties and letting the =
DNS do what it was intended to do?
>=20
> At minimum the fact that this automated system was allowed to wipe out =
great chunks of important data calls it into question. And sure, you can =
all 3 fix the bugs you found this time around, but up until these bugs =
were triggered you all thought the system was functioning perfectly, in =
spite of it ending up doing something that obviously was not intended.
Doug -=20
=20
We could indeed decide to ignore correctly formatted and signed =
information if=20
it doesn=E2=80=99t match some heuristics that we put in place (e.g. =
empty zone, zone with=20
only 1 entry, zone that changes more than 10% in size, etc.)
Some downsides with this approach is that that: 1) we=E2=80=99d be =
establishing heuristics=20
for data that originates with a different organization and absent =
knowledge of their
business changes, and 2) this would be mean that there could be =
occasions where=20
proper data cannot be installed without manual intervention (because =
the changes=20
happens to be outside of whatever heuristics have previously been put =
in place.)
Despite the associated risk, we are happy to install such checks if =
RIPE requests=20
them, but are this time are processing them as we agreed to do so =E2=80=
=93 which is=20
whenever we receive correctly formatted and properly signed requests =
from them.=20
(You should inquire to RIPE for more detail regarding their future =
intentions in this
regard.)=20
As to why DNS-native zone operations are not utilized, the challenge =
is that reverse DNS=20
zones for IPv4 and DNS operations are on octet boundaries, but IPv4 =
address blocks may=20
be aligned on any bit boundary. Thus, a single IPv4 octet range may =
contain IPv4 address=20
blocks that are administered by multiple RIRs, making it is necessary =
for one RIR to be=20
authoritative for the entire zone and other RIRs to send information =
seperately on their IPv4=20
address blocks in that same range so that it gets included in the =
appropriate zone file.=20
Excellent questions - thanks!
/John
John Curran
President and CEO
ARIN
