[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Thu Jan 10 15:56:10 UTC 2008

At 15:17 +0000 1/10/08, Paul Vixie wrote:

>i must have misstated.  i said "walk the tree from the root to itself" so
>i mean that as the owner of vix.com i'd check that the root's delegation to
>com matched(*) com's apex, and that com's delegation to vix.com matched(*)
>vix.com's apex, and that every server answered authoritatively and that the
>serial numbers were close(*).  i do not mean look for all delegations
>involving my server, just all the delegations that lead to my zones.

What would be most useful, now speaking from the perspective of 
someone running a domain and not as a TLD employee, is a tool that 
first presented the "observed" data out there and secondly drew 
conclusions.

What I mean is that I'd like to see a tool that descended zone by 
zone, breadth-first by server at the parent and then servers only 
listed at the child, listing all RR sets related to the path of 
interest.

Name servers that appear at only one side of a delegation should be 
noted, as well as any that are unresponsive or are lame.  Also, 
serial numbers for each zone/server are helpful.

What I would dream of is a tool that even exposes the unseen zones on 
a server.  E.g., if a server hosts both the parent and grandparent, I 
want to see the grandparent's delegation to the parent too.  (I once 
had a situation involving a zone whose every delegation was lame or 
broken, but all the children were on the same servers.  The world 
didn't know about it, I did because I was slaving the zone.  The zone 
no longer exists, the admins have been dealt with.)

The goal is to arm me with the data I would need to report a problem 
to the guilty zone administrator - whether the problem is because of 
an out-of-serial slave of theirs, an incorrect NS for me, an 
incorrect glue entry of their server at the grandparent, etc.

Don't try to label anything as an error or warning.  Tools I have 
seen often will perform the observations okay, but choke in diagnosis 
and cause calls to help desks that shouldn't have happened.

>what "match" means, to me, is that the below-the-cut nameservers are a proper
>superset of the above-the-cut nameservers, and that all the nameserver A/AAAA
>rrsets exactly match each other.  but the tool should have a knob, since my
>definition of "match" might not be one-size-fits-all.

I don't quibble with the first sentence, but the latter is is more important.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.