RE: How common is lack of DNS server diversity?
<Root server> ::= Any DNS server that has final authority for a <domain tier/level>; <domain tier/level> ::= root, TLD, SLD, 3LD, ... nLD (0LD, 1LD, 2LD, ... ,nLD). This is not to be confused with root level servers that have specific authority for dot, at the root level (0LD). One thing missing from the RFC specs for authoritative name servers, which Kashpureff demonstrated so nicely, cache poisoning is possible at ALL levels. Ergo, I thought that it was determined as best practice that; Name Servers that were offered up, as references, should be root for that level. That is, they should be non-recursive. This includes all NS references in all zone files. What should occur is that an org setup zone level roots and then use separate resolving servers for client access to the DNS. This is a two-tier structure with the primary tier being non-resursive. Ergo, within a <domain tier> there are operational tiers for root services and resolving services, per zone authority. RFC2870 only discusses this at the 0LD and only touches it lightly at other LDs. Another thing missing is a further definition of <authoritative>. Some of us have been working with the following; <Authoritative servers> ::= <zone authority>|<domain level authority>|<authoritative resolvers> <zone authority> ::= Final authority for a zone, non recursive. <domain level authority> ::= Final authority for a DL, non recursive (ie a.root-servers.net, gtld-servers.net, etc). <authoritative resolvers> ::= recursive servers, intended for use by clients, that claim authority for their specific zones. These include stub-resolvers. BTW, I consider RFC2870 antiquated, because it presupposes an architecture which may be outmoded or becoming outmoded rapidly. Load balancing and clustering technology makes RFC2870 an unnecessary waste of resources and can even get you into trouble. Yes, some of this is from work done on the ORSC roots. Yes, one of the largest problems we have had to overcome, at ORSC, IFWP, and ICANN/DNSO discussions, were semantic problems caused by overly simplistic and generic semantics. This in some part, explains why MSFT had to develop their own semantics, the current semantics are inadequate. As we all should know, semantics constrains design concepts. However, in such a case, designers will create their own semantics to route around the problem. This happened at MSFT, ORSC, and other places that didn't join/agree/submit to namedroppers. -- ROELAND M.J. MEYER Information Technology Architect Morgan Hill Software Company, Inc. TEL: +001 925 373 3954 FAX: +001 925 373 9781 http://www.mhsc.com mailto: rmeyer@mhsc.com
-----Original Message----- From: bmanning@vacation.karoshi.com [mailto:bmanning@vacation.karoshi.com] Sent: Saturday, January 27, 2001 12:51 PM To: rmeyer@mhsc.com Cc: joshua@roughtrade.net; rmeyer@mhsc.com; nanog@merit.edu Subject: Re: How common is lack of DNS server diversity?
More interestingly, how many root servers allow recursive lookup?
a quick looping probe shows that none of them do, nor the gTLD servers (phew!) although L.ROOT-SERVERS.NET and H.GTLD-SERVERS.NET are unreachable from my view. Preparing an accurate list of all TLD servers glued in the root zone will take a little longer.
I was taking about root servers at ALL levels, not just the root.
Perhaps you are using the term "root servers" in a different manner than I am used to. For me:
"Root Server" = a DNS server for the zone "." in the Internet.
What do you mean by "root servers at ALL levels, not just the root." That construction just does not parse.
--bill
On Sat, Jan 27, 2001 at 01:52:11PM -0800, Roeland Meyer wrote:
<Root server> ::= Any DNS server that has final authority for a <domain tier/level>; <domain tier/level> ::= root, TLD, SLD, 3LD, ... nLD (0LD, 1LD, 2LD, ... ,nLD). This is not to be confused with root level servers that have specific authority for dot, at the root level (0LD).
Roeland, do you make this shit up as you go along, or what? RFC 1034: 3.1. Name space specifications and terminology The domain name space is a tree structure. Each node and leaf on the tree corresponds to a resource set (which may be empty). The domain system makes no distinctions between the uses of the interior nodes and leaves, and this memo uses the term "node" to refer to both. Each node has a label, which is zero to 63 octets in length. Brother nodes may not have the same label, although the same label can be used for nodes which are not brothers. One label is reserved, and that is the null (i.e., zero length) label used for the root. The domain name of a node is the list of the labels on the path from the node to the root of the tree. By convention, the labels that compose a domain name are printed or read left to right, from the most specific (lowest, farthest from the root) to the least specific (highest, closest to the root). RFC 2010: 1 - Rationale and Scope 1.1. Historically, the name servers responsible for the root (".") zone have also been responsible for all international top-level domains (iTLD's, for example: COM, EDU, INT, ARPA). These name servers have been operated by a cadre of highly capable volunteers, and their administration has been loosely coordinated by the NIC (first SRI-NIC and now InterNIC). Ultimate responsibility for the correct operation of these servers and for the content of the DNS zones they served has always rested with the IANA. RFC 2870: 1.2 The root servers serve the root, aka ".", zone. Although today some of the root servers also serve some TLDs (top level domains) such as gTLDs (COM, NET, ORG, etc.), infrastructural TLDs such as INT and IN-ADDR.ARPA, and some ccTLDs (country code TLDs, e.g. SE for Sweden), this is likely to change (see 2.5).
BTW, I consider RFC2870 antiquated
Is it antiquated because it does not use the Roeland Meyer definition of "root server"? --Adam -- Adam McKenna <adam-sig@flounder.net> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 5:08pm up 231 days, 15:26, 8 users, load average: 0.04, 0.01, 0.00
<Root server> ::= Any DNS server that has final authority for a <domain tier/level>;
That's what's commonly referred to as an "authoritative name server" for the zone in question. I'll side with Bill M: a "root DNS name server" serves the root zone, aka. ".". Regards, - Håvard
On Sat, Jan 27, 2001 at 01:52:11PM -0800, Roeland Meyer wrote:
<Root server> ::= Any DNS server that has final authority for a <domain tier/level>;
I was right. Roeland *did* mean "a zone server" in oppoisition to "a customer resolver server". Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Baylink The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015
Ah.. your term "root server" is what I have always called "authoritative" e.g. any listed master/slave for a zone.
<Root server> ::= Any DNS server that has final authority for a <domain tier/level>; <domain tier/level> ::= root, TLD, SLD, 3LD, ... nLD (0LD, 1LD, 2LD, ... ,nLD). This is not to be confused with root level servers that have specific authority for dot, at the root level (0LD).
On Sun, Jan 28, 2001 at 02:48:54AM +0000, bmanning@vacation.karoshi.com wrote:
Ah.. your term "root server" is what I have always called "authoritative" e.g. any listed master/slave for a zone.
Aw, crap. I know better than not to read the whole thread first. :-) Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Baylink The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015
Ergo, I thought that it was determined as best practice that; Name Servers that were offered up, as references, should be root for that level. That is, they should be non-recursive.
I don't remember any IETF BCP making that claim. Recursion is a tool. It can be very helpful in some environments. In inappropriate hands (stupid/evil) it can cause serious damage.
Another thing missing is a further definition of <authoritative>. Some of us have been working with the following; <Authoritative servers> ::= <zone authority>|<domain level authority>|<authoritative resolvers> <zone authority> ::= Final authority for a zone, non recursive. <domain level authority> ::= Final authority for a DL, non recursive (ie a.root-servers.net, gtld-servers.net, etc). <authoritative resolvers> ::= recursive servers, intended for use by clients, that claim authority for their specific zones. These include stub-resolvers.
Not quite what I'd use but its an interesting approch. Seems like there is an overlap between data origination and data publication. (well, thats not quite right either...:)
BTW, I consider RFC2870 antiquated, because it presupposes an architecture which may be outmoded or becoming outmoded rapidly. Load balancing and clustering technology makes RFC2870 an unnecessary waste of resources and can even get you into trouble.
Well, RFC2870 might just have taken a leaf from your book and used "root" as you have indicated. Reading it sure gives that impression.
Yes, some of this is from work done on the ORSC roots. Yes, one of the largest problems we have had to overcome, at ORSC, IFWP, and ICANN/DNSO discussions, were semantic problems caused by overly simplistic and generic semantics. .... This happened at MSFT, ORSC, and other places that didn't join/agree/submit to namedroppers.
Its tough when the various parties can't reach agreement on the basics. One would hope that discussions are continuing between these parties and agreement on semantics can be reached. --bill
participants (5)
-
Adam McKenna -
bmanning@vacation.karoshi.com -
Havard.Eidnes@runit.sintef.no -
Jay R. Ashworth -
Roeland Meyer