March 1996 - dns-wg - mailman.ripe.net

DNS and UDP checksumming
by Geert Jan de Groot 31 Mar '96

31 Mar '96

Hi folks, Increasingly I get reports on bogus DNS records that are apperently caused by bitflips, possibly caused by bad lines and line protocols without error detection. The UDP protocol does not protect against this as the base spec does not require checksumming; a packet without checksum normally gets accepted and its poisenous contents processed by the DNS system. Of course, the best thing to do is to have everybody generate and verify checksums, but this is hard to change now because of the installed base. To the best of my knowledge, the only wide-spread platform that does not do UDP checksumming by default is 'solaris classic' aka SunOs. Even for this platform, enabling UDP checksumming is a simple command. The impact of this bogus information is obviously quite severe and once a bogus record is inserted, it does not die immediately but may stay in the caches for quite some time. RFC1122 (4.1.3.4) keeps the possibility open that apps ignore UDP packets that do not have checksums on them. On BSD-deratives this is hard to verify since the checksum of a packet is not easily obtained. However, it seems quite simple to modify a BSD-kernel to ignore all UDP packets without checksum; yielding the same result. I'm wondering if the RIPE community would concider this acceptable behaviour - it would mean that a host which doesn't do checksumming, will not be able to talk to one which enforces it. This obviously helps to get the message across, the same way as valid reverse lookup mapping for access to many FTP sites is an incentive for people to make their reverse lookup mapping work. What does the DNS working group think on this matter? Geert Jan

2 1

Can I have a look at your named cache please?
by Geert Jan de Groot 25 Mar '96

25 Mar '96

Hi, ns.ripe.net is stormed with IN A requests for @.root-servers.net. It looks like this isn't an isolated incident; I received similar reports from one of the other nameservers of root-servers.net. Given the intensity of the incident (we get 2 times as much requests on this than all other requests combined), I don't believe this is caused by a single bitflip somewhere. It would be real nice if the maintainers of some 'popular' caching nameservers would do a cache dump (kill -INT named), look if @.root-servers.net is listed somewhere, and send me the details if you find it in your cache. Thanks, Geert Jan

4 3

Re: Can I have a look at your named cache please?
by Havard.Eidnes＠runit.sintef.no 24 Mar '96

24 Mar '96

Hi, the relevant things I find are on aun.uninett.no (nothing much interesting): $ORIGIN ROOT-SERVERS.net. ;@ 548 IN A NXDOMAIN ;-$ ;[193.0.0.193] A 38874 IN A 198.41.0.4 ;NT=112 Cr=auth [193.0.0.193] B 444608 IN A 128.9.0.107 ;NT=136 Cr=auth [193.0.0.193] C 445485 IN A 192.33.4.12 ;NT=1361 Cr=auth [193.0.0.193] D 451625 IN A 128.8.10.90 ;NT=245 Cr=auth [193.0.0.193] E 574845 IN A 192.203.230.10 ;NT=483 Cr=auth [193.0.0.193] F 156088 IN A 192.5.5.241 ;NT=245 Cr=auth [198.41.0.5] G 477455 IN A 192.112.36.4 ;NT=92 Cr=auth [193.0.0.193] H 437295 IN A 128.63.2.53 ;NT=225 Cr=auth [193.0.0.193] I 442643 IN A 192.36.148.17 ;NT=71 Cr=auth [193.0.0.193] However, on runix.runit.sintef.no I find: COM 461985 IN NS B.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS C.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS D.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS E.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS I.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS F.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS G.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS A.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 461985 IN NS H.ROOT-SERVERS.NET. ;Cr=addtnl [198.6.197.1] 202438 IN NS @.ROOT-SERVERS.NET. ;Cr=addtnl [204.96.68.1] 77368 IN SOA A.ROOT-SERVERS.NET. HOSTMASTER.INTERNIC.NET. ( 1996032200 10800 900 604800 86400 ) ;Cr=addtnl [192.36.148.17] 296566 IN NS F.I.ROOT-SERVERS.net. ;Cr=addtnl [198.6.197.1] 336242 IN NS I.ROOT-SERVERS.LET. ;Cr=addtnl [198.6.197.1] 336242 IN NS F.ROOT-SERVERS.LET. ;Cr=addtnl [198.6.197.1] 336242 IN NS G.ROOT-SERVERS.LET. ;Cr=addtnl [198.6.197.1] 336242 IN NS A.ROOT-SERVERS.LET. ;Cr=addtnl [198.6.197.1] Not good at all. 204.96.68.1 is olympic.pacificrim.net. It appears to be running 4.9.3, and does not appear to be the source of the bad data. 198.6.197.1 is unregistered (it's located somewhere behind net99.net and cais.net). It also appears to be running a recent version of BIND and does also not appear to be the source of the bad data. This looks suspiciuosly like the ns.uu.net fun, and my bet is that it will be real difficult to track down the real source of this bogus information. - Havard

1 0

ripe23-dns draft minutes
by Antonio_Blasco Bonito 20 Mar '96

20 Mar '96

Hi folks, here are (thanks Carol!) the draft minutes of the last DNS working group. You are encouraged in reading and reporting about any wrong or missing part. Please do that before friday march 5th. I will then finalize the minutes. ---------- ---------- Antonio-Blasco Bonito E-Mail: bonito(a)nis.garr.it GARR - Network Information Service c=it;a=garr;p=garr;o=nis;s=bonito c/o CNUCE - Istituto del CNR Tel: +39 50 593246 Via S. Maria, 36 Fax: +39 50 904052 I-56126 PISA Telex: 500371 CNUCE I Italy Url: http://www.nis.garr.it/nis/staff/bonito.html ---------- ---------- ======================================================================= DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT RIPE-23 dns-wg Meeting Monday, January 29, 1996 14.00 - 16:15 Chair: Antonio-Blasco Bonito Scribe: Carol Orange Attended by 93 people (see below for the list) Agenda ------ 1. Scribe 2. WG-agenda bashing 3. DNS Working Group chair needed 4. Status of 'in-addr.arpa' automatic checking and delegation 5. Status of the BIND software 6. Report of problems experienced 7. Report on European TLDs administrator's questionnaire 8. Delegation of International TLDs (Randy Bush) ----------------------------------------------------------------- 1. Scribe Carol Orange took notes. 2. Agenda The agenda was agreed to without changes. 3. DNS Working Group Chair Rob Blokzijl: + announced that the former DNS-WG chair (Leonid A. Yegoshin) had to resign due to a change in both job and residence. + invited people to suggest candidates for the DNS working group chair. Hopefully a new chair will be appointed during the next RIPE meeting. 4. Status of 'in-addr.arpa' automatic checking and delegation David Kessens gave an update on the tool he created for 'in-addr.arpa' automatic checking and delegation. His report included the following information: To use the tool, one must: + submit the appropriate RIPE database template (inetnum or domain). + send the template to <auto-inaddr(a)ripe.net>. The tool will: + check the setup of the primary and secondary name servers. + if no errors are detected, forward request to human operator for final approval. + report back to user. The tool will *not*: + check the relative location of servers. + check whether the corresponding address space is allocated or assigned. + check whether /24's which fall under a /16 to be delegated, have been delegated. The latest version has several software improvements including: + a standardised output transaction format. + tools for RIPE support staff to check what the tool does not check (see above). + a number of bug fixes. Currently under development: + a tool to automatically update RIPE NCC zone files after human approval. Plans to integrate the tool in RIPE database will mean: + requests should be submitted to database with keyword. + the RIPE database authentication mechanism will be used to validate requests. The tool is available in: + ftp://ftp.ripe.net/tools/inaddrcheck-960110.tar.gz Following David's report, the following discussion ensued. Documentation about reverse delegation procedures was requested. David replied that the necessary information will be provided in ripe-104++. Whether the automated mechanisms for inverse delegations will work with IPv6 came up. There was some discussion as to whether this is important given the slow progress of IPv6. However it was also mentioned that as test beds are becoming operational, these and other tools will be needed to support them. It is expected that at most minor modifications to these mechanisms will be required for use with IPv6. Randy Bush raised the issue of data integrity of DNS, and asked whether steps are being taken to prevent corruption of the inaddr.arpa name space delegated in Europe. After some discussion on this topic, Randy said he has some tools available for inspecting the integrity of DNS name space. Those interested are welcome to contact him. This was followed by a discussion of how lame delegations come into being and why they need to be cleaned up. It was pointed out that the number of bad entries in the inaddr.arpa name space will increase as renumbering goes in to effect. It was also mentioned that currently the integrity of the European inaddr.arpa name space data is quite good. 5. Status of the BIND software Blasco Bonito announced that a the final version of Bind 4.9.3 has been released. Geert Jan de Groot recommended using the "no recursion" option available in version 4.9.3 to prevent data pollution, and to control data sizes. This is useful if resources are limited. ** Action: Geert Jan offered to write up recommendations for managing large databases. Finally, Randy Bush reported that a new version of TGV is available for VMS users. Their new release contains, among much other stuff, a modern version of BIND with all the recent improvements (performance, security, etc). Folks should be strongly encouraged to upgrade. By the way, TGV was recently bought by cisco. 6. Report of problems experienced There have been some problems with the delegation of TLD names under non TLD domains. For example, someone recently delegated the name sgi.net.co.uk. The result is that sgi.com couldn't be resolved anymore when using some old resolvers. As a large number of similar names were generated, the DNS name space became severely polluted, and it took two days to clear it up. According to Geert Jan, the problem is caused in part by old bind software, which in accordance with RFC1535 should no longer be used, but in practice is. Guy Davis says that in the UK, delegation of top level domain names under TLD's (e.g. net.uk) will no longer be permitted. It was reported that this is already the case in other countries (i.e. Germany, Italy, ...) and that DNS second level administrators are also discouraged from allowing top level domain names to be used. There was some discussion as to whether the problem should be solved by getting administrators to replace old resolver software or by getting them to abstain from delegating TLD names. In the end, there was consensus that the problem should be tackled as a combined effort. It was mentioned again that the security issues are discussed in RFC-1535 and that DNS administrators should be reminded to review that document carefully. 7. Report on European TLDs administrator's questionnaire Guy Davis reported on a questionnaire he sent out to European TLD administrators. The questionnaire was designed to determine the policies used in DNS delegations by the TLD administrators. A summary of the report he presented follows. Anyone interested in the full set of information gathered can send a request to <guyd(a)pipex.net>. DNS TLD - Questionnaire - 22 response for 24 top level domains - Full set of answers available on request email: guyd(a)pipex.net EDITED HIGHLIGHTS 1. Who defines your policies? Org Running TLD - 15 1/2 The Government - 1 1/2 ISPs by consensus - 4 2. How do you establish your policies? By Working Group - 2 Told by Govt. - 1 1/2 Decided by Org Running TLD - 7 1/2 ISPs by Concencus - 10 3. What Legal Status do your decisions/policies have? None - 19 1/2 As defined by Govt. - 1 1/2 4a Public Subdomains? Yes - 7 No - 15 b Geographic Subdomains? Yes - 6 No - 16 c 2nd level categories (private & public) in parallel? Yes - 6 No - 16 d If you have public subdomains must everybodies request be accepted? Yes - 7 N/A - 15 e How would you split your TLD See full listing - 6 N/A - 16 5a Sub. TLD? Yes - 20 No -2 b Sub. public TLD? Yes - 7 No - 15 6a Who can obtain domains? Anyone - 11 Just Orgs - 11 8 Must the requester be local? Yes - 16 No - 6 9a More than one domain per Org. ? Yes - 12 No - 10 17a Do you charge ? Yes - 5 No - 16 19 Are you likely to change the system within 12 months? Yes - 14 No - 5 Don't know - 3 22 Do you use automation? Yes - 11 No - 11 After Guy's presentation of the above data, a discussion started regarding the charging fees and schedules. Most TLD administrators presently don't charge, but are thinking about doing so to cover their costs. Among those who do charge, some have only a one time fee, and some have a yearly administration fee. There does not appear to be competition among the national TLD administrators. Moreover, running a TLD is primarily performed as a nonprofit service to the Internet community. Blasco suggested a need for better coordination among TLD administrators, so they can consult one another on technical and policy matters. It was pointed out that this does not mean they will all follow the same policy. The question was raised as to whether some private forum for communication among TLD administrators should be created, so they can exchange information easily. Whether or not 2nd level domain administrators might be included in the "private" communication was considered. ** Action: Daniel offered that the RIPE NCC will set up a mailing list for TLD administrators. A need was also expressed that the policies of TLD administrators be made public. ** Action: The RIPE NCC will incorporate a page where TLD policies can be published at its WWW site. It was suggested the questionnaire be repeated in 6 months so that changes in policy can be monitored. 8. Delegation of International TLDs (Randy Bush) Randy Bush explained that there is a lot of talk in the US at the moment about whether and why new TLD's should be created. International TLD's are com, org & net. The main reason for expanding these is to create healthy competition in the market. Also, the US government (NSF here) wants to be out of the IP and DNS delegation business. Randy also presented a set of guidelines that should be used in determining whether a new TLD can be created. There was some discussion as to whether or not names should be used for profit. Also, whether a white pages service (which is what DNS provides) is sufficient, or whether we should start looking into yellow page models for directory services. Back to the name space: it is perceived that the US wants to control the name space. Who gave them the right to edu, mil, and gov? Basically, it was stated that the US came up with those names, so they have a right to them. Still the process remains unclear. Piet Beertema said the US should use the extension "us" just as other countries use country extensions. Randy then summarised the proposal they are submitting to slowly expand the number of TLD's. The number of TLD's would be increased at a rate of about 3-5 per year. Basically, anyone suggesting a new domain should argue that it will serve some purpose that none of the currently existing TLD's do, and agree that it will be managed responsibly following the guidelines agreed to in RFC1591 (as well as some new ones: nondiscrimination policies, appeals procedures, etc.). Piet B. pointed out that those changes only generate a false sense of order in the chaos. The new policies only apply to new TLD's, not to the old ones. No similar restrictions are applied to second level domain administrators. Mike Norris pointed out that DNS administration is experienced as a public service in Europe. Randy said that "com" on the other hand is turning into a high profit monopoly, and the new suggestions are intended to curb its power. A discussion surrounding the trademark wars surrounding domain names started up. Should the names be delegated on a "first come, first served" or should DNS administrators be required to control trademarks. Back to the issue as to whether new TLD's should be created: It was suggested that whereas the US TLD's fall under ".", they should be placed under "us" (e.g. com.us, mil.us, edu.us, etc). In other words, the problems surrounding "name for profit" monopolies are US based, and should be solved there. To clarify, this Randy asked the audience whether they should be removed from the root. There was general consesus about that. That was about it for the DNS working group. Attendees list -------------- Antonio-Blasco Bonito GARR-NIS Rob Blokzijl RIPE Jiri Orsag Eunet CZ Jan HrJonka -U- Kurt Kayser ECRC Marc Pichon TRANSPAC Bernard Tuy CNRS / UREC Arnold Nipper NIG/Xlink Elise Gerich Merit Havard Eidnes NORDUnet/Uninett Alfons Friedl SERVICOM Dirk Pantring DENIC Sabine Dolderer DENIC Guy Davies Unipalm PIPEX Lars-Johan Liman Ebone NOC Geert Jan de Groot RIPE NCC Hans Petter Holen SCHIBSTED NETT AS Ivan Sedinic HPT - Croatian Post and Teleco Stephan Biesbroeck BELNET Christophe Huygens Katholieke Universiteit Leuven Sean Doran Sprint Els Willems RIPE NCC Randy Bush Michel Colin Brussels University/Service Te Steve Druck TERENA Ariel T. Sobelman TERENA Hatice Kuey RIPE NCC John Crain RIPE NCC Johannes 5 Joemann Object Factory GmbH Oliver Mandischer Object Factory GmbH ??? RENATER Paul Rolland Oleane Ireneusz Neska NASK Simon Cavendish EuroNet Internet Erwin Blekkenhorst EuroNet Internet Astrid Nijenhuis EuroNet Internet ??? A. Vrivine SKYWORLD Ivan Communod FTNSNL Alina Dodescu Research Institute for Informa Jan-Pieter Cornet NL.XS4ALL Erik Bos nl.xs4all Cor Bosman XS4ALL Kimmo Kosonen Telecom Finland Jarmo Oksanen Telecom Finland Willi Huber SWITCH Per Mattsson Unisource Business Networks Hakan Hansson Unisource Business Networks Harm Werkman Unisource Business Networks NL Geza Turchanyi INFO-C Nick Shield UKERNA/JANET Kevin Hoadley ULCC/JANET Asquith Bonaparte JANET NOSC Bettina Kauth DFN-NOC Steven Bakker DANTE Daniele Bovio America OnLine Vaclav Novak CESNET Tomas Marsalek GTS CzechCom Juergen Rauschenbach DFN Anne Lord PIPEX International Stef Van Dessel INnet Magnus Danielson KTH Nigel Titley BTnet Giovanni Armanino GARR-NIS Piet Beertema CWI/NL TLD registry Francis Dupont INRIA Wilfried Woeber VUCC / ACOnet Tibor Weis SANET - Slovakia Barbara Dooley CIX Frank Slyne Telecom Eireann Oliver Smith Demon Internet Cliff Stanford Demon Internet Limited Dusan Keprta EuroTel Bratislava Ltd. Pavel Mikus EuroTel Bratislava Ltd. Oliver Doll EUnet Deutschland GmbH Janos Zsako BankNet Pulak Rakshit Cable Online Javed Mirza Cable Online Holger Weinhardt EUnet Deutschland GmbH Balazs Martos HUNGARNET Janos Bajza HUNGARNET Ton Windgassen= IBM Global Network Europe= Carol Orange RIPE NCC Daniel Karrenberg RIPE NCC Bill Cessna IBM Global Network Matt Fakray IBM Global Network Helena Svensson Tele2 / SWIPnet Armando Domingues FCCN/RCCN Graca Carvalho FCCN/RCCN Miguel Sanz RedIRIS Ruediger Volk Deutsche Telekom Hans Frese DESY Elisabetta Ghermandi I.N.F.N. - CNAF Rushdul Mannan Xara Networks Ltd DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT-DRAFT =======================================================================

1 1