[dns-operations] Reporting glue as authoritive data -- Bug!

Edward Lewis Ed.Lewis at neustar.biz
Tue Jan 29 21:30:30 UTC 2008

At 7:57 +1100 1/30/08, Mark Andrews wrote:

>	The world runs without it.  There are lots of zones including
>	TLD's that cope.

I was talking on the side with someone wondering why, if this is/was 
a real problem, why don't all TLDs see this?  That's a good question. 
My response was that in the case in which I experienced the problem 
it may have been a combination of factors somewhat unique to the TLD 
(it being ARPA).  In other cases it might be manifested in the way 
the registry to DNS interface is constructed.

>	I think it is time to name the resolver(s) if you really
>	want to try to ram through this bad engineering decision.
>	If a resolver don't follow glue it is broken and there are
>	lots of places where it will fail to resolve names.

I'm uncomfortable naming names on a public mailing list, I think it 
is irresponsible to place public reports of problems in the court of 
public opinion.  I think it leads to mob justice and bully behavior. 
That is why I refrain from naming the resolvers.

I take offense to your language regarding "ram through this bad 
engineering decision."  This thread began with a report that there 
might be a bug in what Ultra was doing.  I filled in the history to 
explain that the response was valid and then went on to why it is 
sent.  I have also been justifying the decisions made back then that 
lead to where we are.  I mentioned that I "thought" it was Ultra 
matching Atlas in action, it turns out the Ultra engineers 
consciously added this response because of a problem on the 
production network (may be before we acquired them for all I know 

Personally I have had experience with the mistakes of BIND 4 and BIND 
8 in this manner.  I had to spend quite a bit of time researching it, 
the problem is real.  Yes, BIND 9 has corrected that but as an 
operator I have had to deal with legacy code that was still broken. 
I'm not calling BIND to fix anything.

Documenting these responses would be the responsible thing to do.  No 
one has taken this on.  I don't see the harm in legitimizing them, 
whatever that means.  Perhaps once we rid the network of broken 
resolvers we don't need to see these responses.  But since when has 
the Internet relied on an attitude that every one has to march to the 
same beat?  Whatever happened to "be liberal in what you accept?"

>	I fail to see how you need to be bug for bug compatible
>	with a resolver.

What I had in mind was authoritative servers that are built 
bug-for-bug compatible on purpose.  As far as resolvers, I wouldn't 
know.  But I do know that one resolver code strain begets another 
because we have weak specifications.

Edward Lewis                                                +1-571-434-5468

Think glocally.  Act confused.

More information about the dns-operations mailing list