[34051] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

RE: How common is lack of DNS server diversity?

daemon@ATHENA.MIT.EDU (Roeland Meyer)
Sat Jan 27 16:54:52 2001

Message-ID: <9DC8BBAD4FF100408FC7D18D1F092286039BA1@condor.mhsc.com>
From: Roeland Meyer <rmeyer@mhsc.com>
To: "'bmanning@vacation.karoshi.com'" <bmanning@vacation.karoshi.com>,
	Roeland Meyer <rmeyer@mhsc.com>
Cc: joshua@roughtrade.net, Roeland Meyer <rmeyer@mhsc.com>,
	nanog@merit.edu
Date: Sat, 27 Jan 2001 13:52:11 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu


<Root server> ::= Any DNS server that has final authority for a <domain
tier/level>;
<domain tier/level> ::= root, TLD, SLD, 3LD, ... nLD (0LD, 1LD, 2LD, ...
,nLD).
This is not to be confused with root level servers that have specific
authority for dot, at the root level (0LD).

One thing missing from the RFC specs for authoritative name servers, which
Kashpureff demonstrated so nicely, cache poisoning is possible at ALL
levels. Ergo, I thought that it was determined as best practice that; Name
Servers that were offered up, as references, should be root for that level.
That is, they should be non-recursive. This includes all NS references in
all zone files. What should occur is that an org setup zone level roots and
then use separate resolving servers for client access to the DNS. This is a
two-tier structure with the primary tier being non-resursive. Ergo, within a
<domain tier> there are operational tiers for root services and resolving
services, per zone authority. RFC2870 only discusses this at the 0LD and
only touches it lightly at other LDs.

Another thing missing is a further definition of <authoritative>. Some of us
have been working with the following;
<Authoritative servers> ::= <zone authority>|<domain level
authority>|<authoritative resolvers>
<zone authority> ::= Final authority for a zone, non recursive.
<domain level authority> ::= Final authority for a DL, non recursive (ie
a.root-servers.net, gtld-servers.net, etc).
<authoritative resolvers> ::= recursive servers, intended for use by
clients, that claim authority for their specific zones. These include
stub-resolvers.

BTW, I consider RFC2870 antiquated, because it presupposes an architecture
which may be outmoded or becoming outmoded rapidly. Load balancing and
clustering technology makes RFC2870 an unnecessary waste of resources and
can even get you into trouble.

Yes, some of this is from work done on the ORSC roots. Yes, one of the
largest problems we have had to overcome, at ORSC, IFWP, and ICANN/DNSO
discussions, were semantic problems caused by overly simplistic and generic
semantics. This in some part, explains why MSFT had to develop their own
semantics, the current semantics are inadequate. As we all should know,
semantics constrains design concepts. However, in such a case, designers
will create their own semantics to route around the problem. This happened
at MSFT, ORSC, and other places that didn't join/agree/submit to
namedroppers.

-- 
ROELAND M.J. MEYER
Information Technology Architect
Morgan Hill Software Company, Inc.
TEL: +001 925 373 3954
FAX: +001 925 373 9781
http://www.mhsc.com
mailto: rmeyer@mhsc.com


> -----Original Message-----
> From: bmanning@vacation.karoshi.com
> [mailto:bmanning@vacation.karoshi.com]
> Sent: Saturday, January 27, 2001 12:51 PM
> To: rmeyer@mhsc.com
> Cc: joshua@roughtrade.net; rmeyer@mhsc.com; nanog@merit.edu
> Subject: Re: How common is lack of DNS server diversity?
> 
> 
> 
> > > > More interestingly, how many root servers allow 
> recursive lookup?
> > > 
> > > a quick looping probe shows that none of them do, nor the 
> gTLD servers
> > > (phew!) although L.ROOT-SERVERS.NET and H.GTLD-SERVERS.NET 
> > > are unreachable
> > > from my view. Preparing an accurate list of all TLD servers 
> > > glued in the
> > > root zone will take a little longer.
> > 
> > I was taking about root servers at ALL levels, not just the root.
> > 
> 
> 	Perhaps you are using the term "root servers" in a different
> 	manner than I am used to.  For me:
> 
> 	"Root Server" = a DNS server for the zone "." in the Internet.
> 
> 	What do you mean by "root servers at ALL levels, not 
> just the root."
> 	That construction just does not parse.
> 
> --bill
> 


home help back first fref pref prev next nref lref last post