In message <CAP-guGWoytsYy=2taiQxcTB3doYS+T+A1nqfi0_asjXfip3c=w@mail.gmail.com> , William Herrin writes:
On Thu, Sep 15, 2016 at 12:22 PM, Aaron C. de Bruyn <aaron@heyaaron.com> wrot e:
On Thu, Sep 15, 2016 at 12:31 AM, Mark Andrews <marka@isc.org> wrote:
QWEST isn't the only DNS provider that has broken nameservers. One shouldn't have to try and contact every DNS operator to get them to use protocol compliant servers.
Save yourself some time. Contact the DNS software vendors. ;)
I'd bet he already has. This looks like a name-and-shame to me, and probably deserved.
-Bill
Aaron, How am I supposed to know which DNS vendor to contact? DNS server fingerprinting is not a exact science. After that I then still need to work out how to contact every operator of a broken server and get them to contact the DNS vendor to get a fix. And by the way the SOA RNAME is often a blackhole or it bounces or it is syntactically invalid. The best way to get this fixed would be for nameservers to be checked for protocol compliance, by the parent zone operators or their proxies regularly. That the child zone operator be given a short (< 3 months) to fix it then all zones with that server get removed from the parent zone until the server is fixed (apply the final step in the complaints proceedures from RFC 1033) which forces the owner of the zone to fix the server or to move to someone who follows the protocol. The servers for new delegations be checked immediately and the delegation not proceed unless the delegated servers are protocol compliant. Everybody seems to think they know how to write a DNS server. The problem is that most people don't test anything other than simple queries and that includes many of the DNS vendors. Think about all the load balancer vendors that don't handle anything but a A query or only handle A and AAAA queries don't handle DNSKEY queries. There really is no excuse to not handle non-meta qtypes properly (no error not data or name error depending upon whether the name exists or not). My bet is the DNS vendor has issued a update already and that it hasn't been applied. If not Qwest can inform them that their product is broken. Fixing this should be about 10 minutes for the DNS vendor then QA. If you (collectively) haven't already checked your servers go to https://ednscomp.isc.org and check your servers. While you are there look at some of the reports. If there are any tech reporters out there can you report on the issue of non compliance in DNS servers and that it can lead to lookups failing. This issue affects everybody. Mark
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/> -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org