[dns-operations] Delegation health was Re: Worst current practice example

Edward Lewis Ed.Lewis at neustar.biz
Tue May 4 11:27:00 UTC 2010 

At 21:00 +1000 5/4/10, Mark Andrews wrote:

>I don't think this one is notable other than it should be something
>that should be picked up in regular checks of delegations by parent
>zone administrators and corrected after consultation with the child
>zones administrators.  If they are unreachable or fail to correct
>it within a reasonable period of time the delegation should be
>pulled.  This is not a new requirement.

It may be a requirement in the RFC but it is not practical in operations.
What makes this impractical?

1. What is "Unreachable?" - just because X can't reach Y doesn't mean 
Z can't reach Y.  (This is the Bill Manning reply.)

2. Fail to connect - failure on which end?

3. Registries already tread lightly on pulling down delegations 
involved in illegal activity (with illegal being a local 
determination), treading into unreliable technical checks is not 
worth it.

4. And then there is volume.  If you demand that the test happen on a 
daily basis and the TLD has 10 million delegations (there are a 
handful with that now), that's 115 checks per second using a 24 hour 
clock.  If 99% are good, that means every second you are launching 
yet another in depth check into a potentially bad delegation, 60 
times a minute, 3600 times an hour.

(To pump this a bit, COM I would guess would have a significant 
problem with this.  The current floated population is 80 million.  At 
1% bad, that would be 8 per second.  With all of the work the COM 
engineers do now, do you think they could add on such a workload? 
Granted, the 1% guess is just a number plucked from air.  They way 
COM is monitored, I bet they have some idea of the real number.)

...All this to figure out why people can't get to a delegation that 
seems to otherwise be a delegation no one needs to see.  (The old "if 
a tree falls in a forest and no one hears it, did it make a sound" 
question.)  It's not like a browser user complained that they 
couldn't get to a site.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Wouldn't it be nice if all of the definitions of equivalence were the same?

More information about the dns-operations mailing list