Hi Jeroen,

Our name servers continue to record some statistics relating to "ns.ripe.net". There are still queries coming to its IP addresses, but this query volume is less than 1% of the total query rate. These queries are likely caused by 345 zones, which still have our name server in the NS records at the zone's apex. DNS resolvers that query our name server are now getting NOERROR responses, with an empty answer section, and the zone's other name servers in the authority section (a referral). Most DNS resolvers are used to dealing with this kind of breakage, and will try the other name servers.

Tomorrow, we will drop all the address records of "ns.ripe.net", and that should stop most of the queries. As you have noted, there may still be some queries, either caused by in-zone names for the addresses of our server, or just other random queries. Unfortunately, we do not have the resources to setup another IP address for this name server and capture the traffic. We expect the volume to be very low, and not worth all the extra work of capturing the traffic.

In the early days of this project, we sent the notification emails with a bitbucket sender address, so we did not see the bounces. In the last 2 notifications in November and December 2024, we changed the sender address that could see the bounces. We sent the email to over 1000 addresses, and there were around 100 bounces. In a small number of cases, all emails sent to a zone's contacts bounced.

Regards,

Anand Buddhdev

RIPE NCC

On Tue, 14 Jan 2025 at 10:13, Jeroen Massar <jeroen@massar.ch> wrote:

> On 14 Jan 2025, at 09:59, Anand Buddhdev <anandb@ripe.net> wrote:
>
> Dear colleagues,
>
> On Wednesday 15 January, we'll be moving on to the final phase of removing our secondary DNS service for LIRs (ns.ripe.net) and updating all associated objects in the RIPE Database. This update will remove the "nserver: ns.ripe.net" attribute from them.
>
> I am happy to report that 93% of the zones have been updated and stopped using ns.ripe.net as a secondary name server. The remaining zones that have not been updated will not be affected because they will have at least one working name server after this update. Therefore, we do not expect the DNS resolution of these zones to fail.

Hi Anand,

After you remove the nserver entry in WHOIS, will you do a bit of dumping of at least the domains that are still attempted to be resolved through ns.ripe.net <http://ns.ripe.net/> to have a small overview of the amount of domains and amount of queries that are still flowing there.

Before shutting down / removing the label of ns.ripe.net <http://ns.ripe.net/> another experiment that one could do is to change the IP of ns.ripe.net <http://ns.ripe.net/> to a distinct one, one then either should see queries follow to that new IP (thus them having a NS of ns.ripe.net <http://ns.ripe.net/>) or staying on the old IP (thus them using a different name in the NS).

Noting that the group that is using the IP 'directly' (or well, outside of the ns.ripe.net <http://ns.ripe.net/> name) will cause those queries to keep on going to your IP, and when you shutdown that IP it will just mean ICMP traffic and retries...

For the ones using ns.ripe.net <http://ns.ripe.net/>, they will keep on trying to resolve ns.ripe.net <http://ns.ripe.net/> but at least if you put a long TTL on the NXDOMAIN it should be decently cached and thus not impact your infra too much.

Also, as there are contacts in the WHOIS entry, and you did an effort to contact the owners, can you state what the response rate was, also how many of the contacts bounced? Were they focussed on a few LIRs or spread out, old records or any other insights. Could be a good way to see how 'correct' the data in WHOIS actually is...

Nevertheless good luck! (especially in the hope that the remaining query rate is low and no incidents too of course :) )

Regards,
Jeroen