[dns-operations] Delegation health was Re: Worst current practice example

Mark Andrews marka at isc.org
Tue May 4 23:57:03 UTC 2010

In message <a06240800c805ea5c6c6e@[]>, Edward Lewis writes:
> At 23:08 +1000 5/4/10, Mark Andrews wrote:
> >By unreachable I was actually refering to the administrators.
> >Pulling down is the last resort.  Getting the delegation corrected
> >is the desired result.  I suspect most registants would be more
> >than happy to have someone catch and report their errors to them
> >as they are not always easily visible unless you are a external
> >party.
> >That's just a cost of doing business.  Most of it can be automated
> >or don't you require valid contact details?
> Mark, seriously, it's a cost - and it would raise the "price" of a 
> domain name considerably.

And not checking is shifting the cost away from those in the position
to fix the the problem which makes the final cost much more.
> Automated?  Above you indicate "referring to the administrators." 
> Are you suggesting an auto-dialer?  If I have to test 100 delegations 
> per second, I'd have to dial awfully fast.

In many cases email is enough, though with delegation it can sometimes
be tough to reach someone.
> Getting something fixed is even more time consuming.  I once had the 
> real experience of writing and running code that did lame delegation 
> testing.  It's one thing to test, another to diagnose, and yet 
> another to hand hold someone through a fix.
> >As for the number of delegations that are problematic.  Removing
> >then provides incentive for people to actually ensure that they are
> >initially correct and remain correct.  The current situation is the
> >direct result of failure to check and correct.
> >
> >I'd love to see weekly reports about the numbers of broken delegations
> >per infrustucture zone.  Both raw and as a percentage.
> When I was testing lameness, I observed a high number, but that was 
> because the delegations ran in "runs."  (Meaning one registration had 
> a number of delegations and it was pretty common that if one of the 
> delegations was bad so were others in the registration.)  My 
> observations were about 20-30%, others in the same situation reported 
> as low as 5%, but I know their numbers grew over time.

And once they learn to fix one they usually can fix them all.
> >The problem is that people do hear the tree falling or stumble across it.
> >
> >Yes, "I can't lookup <foo>" is a pretty regular sort of message on
> >bind-users.  Most of the time it ends up being a delegation problem.
> What's wrong with having error recovery be event driven?

So I should contact the parent zone administrator for every lame
delegation I detect?  You will guarantee to follow through and get
the delegation fixed or removed?

B.T.W. I do report broken configurations when I see them.  Sometimes
I'm thanked, often I'm ignored, occasionally I'll get "why were you
checking" or similar.  Sometimes I can't find a way to contact the
zone administrator because the data in whois is total crap or non
existant (see gov's whois for a useless service).

Then there are all the language issues.   Having the infrustructure
zone administrator make the contact reduces these.  I don't speek
greek but I've definitely found problems with .gr delegations.
Similarly for just about every other country in the world.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list