[dns-operations] Reducing AS112 traffic

Sidney Faber sfaber at cert.org
Mon Nov 19 15:25:24 UTC 2007

(1) should have been:
Create in-addr.arpa zones for private address space as per
Sorry for the confusion.

I'm really interested in your response to Paul's comment, this was based
para 7, and Joe's given an example of at least one unintended
consequence.  Should this never be a recommendation?

   Possible measures which might be taken to prevent these queries
   2.  Block reverse DNS queries to the AS112 servers from leaving the
       site using firewalls between the site and the Internet.  Although
       this might appear to be sensible, such a measure might have
       unintended consequences: the inability to receive an answer to
       reverse DNS queries might lead to long DNS lookup timeouts, for
       example, which could cause applications to malfunction.

Paul Vixie wrote:
>> (3)  Block traffic to, but only do this if you've
>> already done (1) or (2) and you're sure you won't impact operations.
> i don't think (3) is right.  when we started AS112 we could have assigned
> these zones to servers in private address space, or to servernames like "."
> or addresses like or  we chose a real netblock because
> we wanted this to be a real service.  if an enclave can't do (1) or (2)
> then i think i'd prefer to be able to measure their traffic as part of
> this "whole internet" thing.  also, a recommendation such as (3) creates a
> new kind of private address space, which really should be beyond our powers.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

Sid Faber, Member of the Technical Staff
Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org

More information about the dns-operations mailing list