In message <CAHw9_iLzKsqSWLV+BdcG_R-d9Jd-=1sc+srzhv8iwd_5tdo...@mail.gmail.com>, Warren K umari writes: > On Sat, Oct 25, 2014 at 11:57 AM, Stephane Bortzmeyer <bortzme...@nic.fr> > wrote: > > On Mon, Oct 20, 2014 at 05:26:29PM -0400, > > Phillip Hallam-Baker <hal...@gmail.com> wrote > > a message of 74 lines which said: > > > >> If we are going there, I would want to know how common the > >> configurations are. > > > > Yes, actual numbers seen from a real resolver would be useful. > > > >> Outside this list how common are hierarchies more than 4 levels deep > >> in practice? > > Surprisingly enough, not an insignificant number -- but this is > mitigated by what the queries are (see below) > > > > > ip6.arpa, and other infrastructure domains? > > There is a long tail, but: > ~51% of lookups are of length 3 (www.example.com) > ~23% of lookups are of length 5 (this was surprising to me, but is > largely dominated by Akamai - www.example.com.akadns.net) > ~15% of lookups are of length 4 (usually service.something.largecompany.com) > > This means that lengths 3, 4, 5 account for ~89% of lookups. If you > include lengths of 1 and 2 you get >96% > Many of these (like the akamai ones, .com, etc) look like they would > cache every well... > > In the long tail there are the ip6.arpa, in-addr.arpa, some dnsbls and > then a bunch of anti-virus / web-filter stuff (things like <really > long b64(?) encoded string>.sophosxl.com or <some opaque > string>.avts.mcafee.com), and some "obviously" broken queries > www.www.www.www.www.www.www.www.www.cnn.com) > > > So, while looking at this I stumbled across something, um, odd... > wkumari@vimes:~$ dig ns +noall +comments apple.com.akadns.net > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27395 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > 'kay... > > wkumari@vimes:~$ dig ns +noall +comments com.akadns.net > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3341 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > > Er... wouldn't this break with qnm? (obviously fixable, but an > interesting data point). It has been a long day, so perhaps I'm > missing something as well...
Yes, there are lots of broken nameservers out there. This doesn't have to remain the case. Audit all the servers for the zone delegated from TLD and SLD infrastructure zones and with and without www prepended. Report the errors found and request that they contact their nameserver / firewall vendor for a fix. Repeat 3 months later with a warning that the delegation will be removed if the issue is not fixed for those contacted on the previous run. Repeat 3 months late and remove all delegations which have had the 2 previous message. Repeat at 3 monthly interval to catch new instances. Unlike bad delegations. You don't get many regressions. Once a nameserver is fixed it tends to stay fixed. This gives them 6 months to deploy a fix. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
