[dns-operations] Reporting glue as authoritive data -- Bug!
Ed.Lewis at neustar.biz
Thu Jan 31 15:50:27 UTC 2008
At 8:48 +0000 1/31/08, Lutz Donnerhacke wrote:
>* Edward Lewis wrote:
>> Why don't servers running BIND 9 seem to have this problem?
>Because the "hybrid answers" are not needed by the resolvers out there.
>There might be a problem in the past, but it's gone.
Saying it's gone doesn't prove it. To be fair to you, it's
impossible to prove that something does not exist. Because this is
an unsolvable problem we should move on to something that can be
>I did the same several month ago, while observing that changing glue does
>not trigger a DNSSEC-signature action. I was puzzled and discussed this
>"problem" even with the user above. That's why I heard of his problem now.
I'm not sure if what you are alluding to is the desire for something
called 'fetch glue' which is an old feature of BIND. Sorry for being
hazy on this, but a server could be told to fetch the glue it was
supposed to serve periodically (or just at zone load).
The practice has been obsoleted. For one, it's an obvious drain on a
large glue-holding zone. Two, it's a chance for glue poisoning.
Further, I have seen RFP's for DNS services (external to the global
public Internet) that explicit request that the authoritative servers
do not do 'fetch glue.'
What that says to me is that they'd rather have the glue issues
handled via provisioning than glossed over by the DNS. My
interpretation is that we would rather expose issues and solve them
correctly than smooth them over.
>After this discussion, I'm sure, that ATLAS and Ultra give wrong answers and
>should plan to phase this errornous behaviour out.
You might have drawn this conclusion, but I haven't. Let's move on
from that though.
Why am I, speaking as a DNS operator, reluctant to remove hybrids?
(I am writing this so that you might get some hints as to how to get
me to do so.) For one, any change to current practices has to have
benefits that outweigh the risk of the change. Put it this way, show
me that hybrids hurt and should be gone, resulting in a benefit.
They hurt DNSSEC? So what, the market for DNSSEC is negligible.
Let's address my risks, the last time I backed out the hybrids, I got
hammered with traffic. You might say it won't happen again, but I'm
the one that has felt the pain before.
Here's my prescription for removing hybrids.
First, work with Peter Koch and his draft on glue clarifications.
Objectively define hybrids. State that the problem is in resolvers
that suffer Alzheimer's, that is, forgetting why they got an answer.
Get the document published as an RFC.
RFCs mean something in the world, they might not be the law we run
by, but they shape it. You may recall back and forth about RFC 1034,
4,3,2, step 3b and 4 - a clear RFC is what is needed, not one open to
Second, get the attention of the organizations that deal with
registry operations. Not to punish or cajole the registries to act,
but to afford registries protection. I.e., lower the impact of my
risk. Make me willing to make a change that just might victimize
someone else. And make it worth my while to spend time on this
instead of another pending work item.
You see, hybrids are properly formatted DNS messages. They are
equivalent to cache answers, except that there is no DNSSEC ancillary
data there (which you only notice if you are experimenting with
DNSSEC). This isn't a protocol issue at all, you can't "outlaw" any
set of bits and eliminate hybrids.
It is an operations issue. And a registry operations issue. You
desire to tell registries to stop using glue as cache. You aren't
going to get this wish in the court of public opinion (such as this
list). You aren't going to get this done just via IETF documents.
Okay, maybe I'm giving you the age-old bureaucrat's stone-wall
answer. "Do a lot of work, go through channels and we will get
around to it. And hopefully you'll get too tired fighting you'll
accept the situation as it is." There's a shorter answer that might
Try reporting the problem to the customer support for Ultra and not
to a public list. Sometimes it is easier to convince an organization
to change when the report is from outside than from someone like me
that reads a list and then reports it internally. Sounds crazy, but
it helps. For one, you get more a more sympathetic response to a
discreet complaint than one that might be construed as a desire to
embarrass someone (which is usually the biggest outcome in a court of
It doesn't hurt to have Peter's draft or RFC either to help explain
Email: ultrasupport at neustar.biz
Phone: (888) 367-4820
If that doesn't work, then the court of public opinion is the place to be.
Edward Lewis +1-571-434-5468
Think glocally. Act confused.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations