> On Sat, 30 Sep 2006, Mark Andrews wrote:
> > >
> > > The better approach is for the WG to recommend to the in-addr.arpa
> > > maintainer to put in delegations for 168.192.in-addr.arpa et al to be
> > > delegated to 127.0.0.1. These delegation records should have the maximum
> > > TTL.
> >
> > Because it also breaks responses to queries from nameservers that
> > are NOT using these addresses.
>
> How is that? I don't think it breaks anything: If nameservers (the
> users) _really_ don't use those addresses, then they won't be making
> those queries.
I can think of a number of ways a lookup for the reverse
of a RFC 1918 address could be made when you are not using
RFC 1918 addresses.
> But if they do make those queries (for which they aren't
> properly configured), then they should EXPECT to get an error. Indeed,
> they SHOULD get an error.
They do get a error: Name Error.
> By contrast, AS112 silently gives a "wrong" answer, with no "error". The
> answer is wrong because an answer is given to an unanswerable query.
> This is bad since it prevents the nameserver operator from learning
> about the misconfiguration.
RFC 1918 addresses are ambigious, not "not answerable".
The correct answer is location sensitive. If you are on
the Internet and not using RFC 1918 addresses then the
correct answer is Name Error. If your site is using RFC
1918 addresses and you havn't configured a PTR then the
correct answer still is Name Error.
This is no different that if there wasn't a PTR record for
the public IP address I'm currently using.
> > > This approach has two beneficial effects that AS112 doesn't
> > > offer:
> > >
> > > 1) The nameserver operator with the misconfigured nameserver will begin
> > > getting "recursion to self" errors, which will prompt corrective action.
> > >
> > > 2) The delegation records will be cached on the local nameserver,
> > > reducing unnecessary traffic from the misconfigured nameserver.
> >
> > Because it only works when you get responses *back*. A
> > large amout of this traffic is non-repliable by the roots.
>
> The _delegations_ are reply-able. There are currently delegations to
> (e.g. 168.192.in-addr.arpa):
>
> 168.192.in-addr.arpa. 300 IN NS blackhole-2.iana.org.
> 168.192.in-addr.arpa. 300 IN NS blackhole-1.iana.org.
>
> This could be changed to give an address of 127.0.0.1. And these
> records are cached.
And you totally missed my point. Fix the default configuration
in nameservers using RFC 1918 address and the queries don't
leak out. They don't go to the roots regardless of whether
the addresses are translated or not.
The intent is to stop the queries leaking.
> --Dean
>
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email [EMAIL PROTECTED]
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
