>
> On 8-May-2007, at 09:59, [EMAIL PROTECTED] wrote:
>
> > On 7-May-2007, at 23:04, Mark Andrews wrote:
> >
> >> You say that one should not be worried about answers from
> >> these servers. This needs to be clarified to state what a
> >> normal answer is both for PTR QUERY and UPDATE. NXDOMAIN and
> >> REFUSED respectively. A rogue as112 operator can cause
> >> operational problems.
>
> I'm not convinced that this document needs that level of detail,
> aimed as it is squarely at the technically uninformed. I don't have
> very strong feelings about *not* including text to that effect,
> though. Would you like to propose some words for the draft?
>
> >> Also explain why NXDOMAIN is a harmless response to QUERY.
> >>
> >> There should also be some discussion as to why they should
> >> address their configuration problem rather than just accept
> >> continue to accept the answers from the as112 servers.
>
> Section 7 ("Corrective Measures") includes this text:
>
> Possible measures which might be taken to prevent these queries
> include:
>
> 1. Stop hosts from making these reverse DNS queries in the first
> place. In some cases servers can be configured not to perform
> reverse DNS lookups, for example. As a general site-wide
> approach, however, this measure is frequently difficult to
> implement due to the large number of hosts and applications
> involved.
>
> 2. Block reverse DNS queries to the AS112 servers from leaving the
> site using firewalls between the site and the Internet.
> Although
> this might appear to be sensible, such a measure might have
> unintended consequences: the inability to receive an answer to
> reverse DNS queries might lead to long DNS lookup timeouts, for
> example, which could cause applications to malfunction.
>
> 3. Configure all DNS resolvers in the site to answer
> authoritatively
> for the zones corresponding to the private-use address blocks in
> use. This should prevent resolvers from ever needing to send
> these queries to the public DNS. Guidance and recommendations
> for this aspect of resolver configuration can be found in
> [I-D.andrews-full-service-resolvers].
>
> 4. Implement a private AS112 node within the site. Guidance for
> constructing an AS112 node may be found in
> [I-D.ietf-dnsop-as112-ops].
>
> Are you disagreeing with the text above, or suggesting a different
> emphasis, or something else?
Different emphasis. We really want sites that are
misconfigured to correct their configurations. The way
the document reads at the moment one could get the
impression that just accepting the reply traffic is
enough as it is harmless.
The reply traffic may be harmless but the query traffic
definitely isn't harmless. It's costing the as112
operators and any transits in between real money to
supply these answers.
> Joe
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
