[dns-operations] [Ext] Nameserver responses from different IP than destination of request
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Sep 1 00:31:56 UTC 2020
On Tue, Sep 01, 2020 at 12:01:07AM +0000, Paul Hoffman wrote:
> On Aug 31, 2020, at 2:47 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > Quite likely the domains that are completely broken (none of the
> > nameservers respond from the right IP) are simply parked, and nobody
> > cares whether they they actually work or not.
> >
> > The only reason you're seeing queries for them may be that folks doing
> > DNS measurements, query all the domains we can find including the parked
> > ones that nobody actually cares to have working.
>
> These assumptions seem... assumptiony. I'd love to see some data from
> anyone who is collecting it on which NS names or IPs are exhibiting
> the behavior.
Sure, but when most of the world's resolvers can't resolve a domain, it
is not much of a leap to conclude that the operators of said domain
don't much care to see it working (unless the problem is transient and
quickly corrected).
The longer the time that this sort of thing sits unaddressed, the less
we should care about it any more than the operator does.
On the other hand, if the problem is in the "quickly corrected" bucket,
again we don't need to compromise DNS integrity for everybody else by
generally accepting non-matching replies.
If a particular resolver is able to apply emergency exceptions for a
particular important zone, that'd be their choice I guess, but even that
seems to be solving the wrong problem, why expect all the resolvers to
fix a problem rightly solved at the source.
Scoping out the extent of the problem is an interesting exercise in
measurement, but should have no operational relevance for anyone other
than the guilty parties, should they care to actually see their domain
resolved.
--
Viktor.
More information about the dns-operations
mailing list