[dns-operations] Delegation health was Re: Worst current practice example
marka at isc.org
Tue May 4 23:57:03 UTC 2010
In message <email@example.com>, Edward Lewis writes:
> At 23:08 +1000 5/4/10, Mark Andrews wrote:
> >By unreachable I was actually refering to the administrators.
> >Pulling down is the last resort. Getting the delegation corrected
> >is the desired result. I suspect most registants would be more
> >than happy to have someone catch and report their errors to them
> >as they are not always easily visible unless you are a external
> >That's just a cost of doing business. Most of it can be automated
> >or don't you require valid contact details?
> Mark, seriously, it's a cost - and it would raise the "price" of a
> domain name considerably.
And not checking is shifting the cost away from those in the position
to fix the the problem which makes the final cost much more.
> Automated? Above you indicate "referring to the administrators."
> Are you suggesting an auto-dialer? If I have to test 100 delegations
> per second, I'd have to dial awfully fast.
In many cases email is enough, though with delegation it can sometimes
be tough to reach someone.
> Getting something fixed is even more time consuming. I once had the
> real experience of writing and running code that did lame delegation
> testing. It's one thing to test, another to diagnose, and yet
> another to hand hold someone through a fix.
> >As for the number of delegations that are problematic. Removing
> >then provides incentive for people to actually ensure that they are
> >initially correct and remain correct. The current situation is the
> >direct result of failure to check and correct.
> >I'd love to see weekly reports about the numbers of broken delegations
> >per infrustucture zone. Both raw and as a percentage.
> When I was testing lameness, I observed a high number, but that was
> because the delegations ran in "runs." (Meaning one registration had
> a number of delegations and it was pretty common that if one of the
> delegations was bad so were others in the registration.) My
> observations were about 20-30%, others in the same situation reported
> as low as 5%, but I know their numbers grew over time.
And once they learn to fix one they usually can fix them all.
> >The problem is that people do hear the tree falling or stumble across it.
> >Yes, "I can't lookup <foo>" is a pretty regular sort of message on
> >bind-users. Most of the time it ends up being a delegation problem.
> What's wrong with having error recovery be event driven?
So I should contact the parent zone administrator for every lame
delegation I detect? You will guarantee to follow through and get
the delegation fixed or removed?
B.T.W. I do report broken configurations when I see them. Sometimes
I'm thanked, often I'm ignored, occasionally I'll get "why were you
checking" or similar. Sometimes I can't find a way to contact the
zone administrator because the data in whois is total crap or non
existant (see gov's whois for a useless service).
Then there are all the language issues. Having the infrustructure
zone administrator make the contact reduces these. I don't speek
greek but I've definitely found problems with .gr delegations.
Similarly for just about every other country in the world.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations