[dns-operations] Missing .us and GTLD records??

Mark Andrews marka at isc.org
Sat May 22 00:11:18 UTC 2010


In message <Pine.LNX.4.64.1005211428001.29406 at server1.hal22.net>, Luis Uribarri
 writes:
> 
> Believe it or not, some resolvers do not actually do this, (or at least 
> do not appear to act in this way)
> 
> >From RFC 1035
> >Some fine points:
> >
> >   - The resolver may encounter a situation where no addresses are
> >     available for any of the name servers named in SLIST, and
> >     where the servers in the list are precisely those which would
> >     normally be used to look up their own addresses.  This
> >     situation typically occurs when the glue address RRs have a
> >     smaller TTL than the NS RRs marking delegation, or when the
> >     resolver caches the result of a NS search.  The resolver
> >     should detect this condition and restart the search at the
> >     next ancestor zone, or alternatively at the root.
> 
> This may have been becasue of recent vulnerability discoveries and/or 
> changes in how SLIST is handeled by certian resolvers. (Not necessarily 
> BIND) But I have seen live domains go into SERVFAIL mode on some resolvers 
> becasue of Glue NS TTL and the Glue A TTL being different in an 
> in-baliwick delegation.

Then the resolver is broken.

As for IPv6 only servers causing problems there are plenty of
nameservers that exist in name only, i.e. no addresses at all.  In
some case the name doesn't exist at all.  Resolution doesn't stop.
A IPv6 only nameserver just looks like a addresses less server to
the IPv4 only resolver.  There is NOTHING wrong with that.
 
> I have seen many situations where not being able to find a "name servers 
> name", can casue issues.
>
> If everyone in the world was using the exact same DNS Resolver software, 
> then issues on  Authoritative servers that caused problems with some 
> resolvers but not otthers would not matter.

It's not about everyone have the same software.  It's about writting
to the standards and dealing with common situations.  NS and A
records arn't required to have the same TTL so you write your code
to handle the fact that they may timeout.  You also need to write
your code to cope with nameservers that don't have addresses or
don't exist.
 
> But for a TLD, everyone in the world has to use the same Auth servers. 
> Not everyone uses the same resolver software.
> 
> Make the Auth Servers and Auth server delegations they provide bulletproof,
> and you don't have to worry about resolvers that behave differently 
> "breaking".

But you have yet to show one resolver breaking.

I'd like to see all the TLD's put up a IPv6 only nameserver and for
one to be added to the root.  It won't belong before it is common
place to have IPv6 only servers as people find that they can't get
a unshared IPv4 address to go with the IPv6 address to host the
service on.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list