[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)
Ed.Lewis at neustar.biz
Thu Jan 10 15:56:10 UTC 2008
At 15:17 +0000 1/10/08, Paul Vixie wrote:
>i must have misstated. i said "walk the tree from the root to itself" so
>i mean that as the owner of vix.com i'd check that the root's delegation to
>com matched(*) com's apex, and that com's delegation to vix.com matched(*)
>vix.com's apex, and that every server answered authoritatively and that the
>serial numbers were close(*). i do not mean look for all delegations
>involving my server, just all the delegations that lead to my zones.
What would be most useful, now speaking from the perspective of
someone running a domain and not as a TLD employee, is a tool that
first presented the "observed" data out there and secondly drew
What I mean is that I'd like to see a tool that descended zone by
zone, breadth-first by server at the parent and then servers only
listed at the child, listing all RR sets related to the path of
Name servers that appear at only one side of a delegation should be
noted, as well as any that are unresponsive or are lame. Also,
serial numbers for each zone/server are helpful.
What I would dream of is a tool that even exposes the unseen zones on
a server. E.g., if a server hosts both the parent and grandparent, I
want to see the grandparent's delegation to the parent too. (I once
had a situation involving a zone whose every delegation was lame or
broken, but all the children were on the same servers. The world
didn't know about it, I did because I was slaving the zone. The zone
no longer exists, the admins have been dealt with.)
The goal is to arm me with the data I would need to report a problem
to the guilty zone administrator - whether the problem is because of
an out-of-serial slave of theirs, an incorrect NS for me, an
incorrect glue entry of their server at the grandparent, etc.
Don't try to label anything as an error or warning. Tools I have
seen often will perform the observations okay, but choke in diagnosis
and cause calls to help desks that shouldn't have happened.
>what "match" means, to me, is that the below-the-cut nameservers are a proper
>superset of the above-the-cut nameservers, and that all the nameserver A/AAAA
>rrsets exactly match each other. but the tool should have a knob, since my
>definition of "match" might not be one-size-fits-all.
I don't quibble with the first sentence, but the latter is is more important.
Edward Lewis +1-571-434-5468
Think glocally. Act confused.
More information about the dns-operations