Deletion of ns-v6.ripe.net
Dear colleagues, The RIPE NCC provides secondary DNS for some reverse DNS zones using a server called ns.ripe.net. In the early days of IPv6, this server was also given another name, ns-v6.ripe.net, and some users used this name in their IPv6 reverse DNS zones. Last year, we contacted these users and asked them to switch to the name ns.ripe.net instead. This makes the RIPE NCC's pre-delegation checks and provisioning system simpler. Now that the name ns-v6.ripe.net is no longer in use by anyone, we are going to delete it from the ripe.net zone. We will do this on Thursday, 26 April. If you have any questions or concerns about this, please send an email to <dns@ripe.net>. Regards, Anand Buddhdev RIPE NCC
On 24 Apr 2018, at 15:33, Anand Buddhdev <anandb@ripe.net> wrote:
Now that the name ns-v6.ripe.net is no longer in use by anyone, we are going to delete it from the ripe.net zone.
Anand, could you clarify what you mean by “no longer in use”? Has it gone from all the reverse zones that referenced it? Are no more queries for ns-v6.ripe.net hitting the ripe.net name servers? I’m wondering if the name might still be hard-wired into scripts or provisioning/testing tools.
On Tue, Apr 24, 2018 at 03:48:39PM +0100, Jim Reid wrote:
On 24 Apr 2018, at 15:33, Anand Buddhdev <anandb@ripe.net> wrote:
Now that the name ns-v6.ripe.net is no longer in use by anyone, we are going to delete it from the ripe.net zone.
Anand, could you clarify what you mean by “no longer in use”? Has it gone from all the reverse zones that referenced it? Are no more queries for ns-v6.ripe.net hitting the ripe.net name servers?
I’m wondering if the name might still be hard-wired into scripts or provisioning/testing tools.
At least this is a good sign: https://github.com/search?q=ns-v6.ripe.net&type=Code Kind regards, Job
On 24 Apr 2018, at 15:51, Job Snijders <job@ntt.net> wrote:
At least this is a good sign: https://github.com/search?q=ns-v6.ripe.net&type=Code
Thanks Job. Though I wasn’t thinking (or caring) about github crapware. I was thinking about stuff that might have been written for internal use -- say at an ISP -- and would only show up whenever these scripts or whatever made queries for ns-v6.ripe.net. As I’m sure we all realise, there’s a long tail of legacy cruft out there. So even when some name gets removed from the DNS (or isn't found in github), that doesn’t necessarily mean that the name is no longer used. For instance, there’s still traffic going to IP addresses for root servers that were renumbered years ago. Admittedly that’s not quite the same thing because the names of the root servers in question haven’t gone away, but it illustrates the point I was trying to make.
Hi, On Tue, Apr 24, 2018 at 04:25:59PM +0100, Jim Reid wrote:
Thanks Job. Though I wasn???t thinking (or caring) about github crapware. I was thinking about stuff that might have been written for internal use -- say at an ISP -- and would only show up whenever these scripts or whatever made queries for ns-v6.ripe.net.
I would say that such software needs to be broken, often, and hard. There is never a reason to hardwire the hostname of other people's DNS servers in your software, except if said software does special DNS checks ("is this list of servers that I expect to be authoritative for my zones up to date?"). And even for those cases, the software should consult what is in the delegation records, not "a hardwired list"... (I won't say we do not have something, somewhere, that assumes that there is a ns-v6.ripe.net - but if we have, it needs to explode so we can find and repair it) OTOH it might be worth some considerations about "soft landing" - that is, point ns-v6.ripe.net at a new server that logs queries, respons to everything with SERVFAIL (or forwards to ns.ripe.net?), and if you see significant traffic, contact the sender and notify them of the coming end... Gert Doering -- writer of scripts that do stupid things -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 24/04/2018 17:33, Gert Doering wrote: Hi Gert,
OTOH it might be worth some considerations about "soft landing" - that is, point ns-v6.ripe.net at a new server that logs queries, respons to everything with SERVFAIL (or forwards to ns.ripe.net?), and if you see significant traffic, contact the sender and notify them of the coming end...
I now realise I should have made this even more explicit: ns.ripe.net and ns-v6.ripe.net are the same server, and have the same IP addresses. It's near-impossible for us to tell whether someone is resolving ns-v6.ripe.net, and then sending queries to its addresses. However, having two names makes our pre-delegation and provisioning somewhat more complex, and so we wish to simplify things. We did check that the name ns-v6.ripe.net was not listed as the target of any NS record in any delegations or apices, to ensure that reverse DNS resolution is not affected. Regards, Anand
Hi, On Tue, Apr 24, 2018 at 05:46:50PM +0200, Anand Buddhdev wrote:
On 24/04/2018 17:33, Gert Doering wrote:
OTOH it might be worth some considerations about "soft landing" - that is, point ns-v6.ripe.net at a new server that logs queries, respons to everything with SERVFAIL (or forwards to ns.ripe.net?), and if you see significant traffic, contact the sender and notify them of the coming end...
I now realise I should have made this even more explicit:
ns.ripe.net and ns-v6.ripe.net are the same server, and have the same IP addresses. It's near-impossible for us to tell whether someone is resolving ns-v6.ripe.net, and then sending queries to its addresses.
I understand that. Thus: have ns-v6.ripe.net point to a *new* server, which will then be able to notice "oh, people have something in their configuration, somewhere, which references ns-v6.ripe.net". Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Tue, Apr 24, 2018 at 10:33:16PM +0200, Gert Doering wrote:
Thus: have ns-v6.ripe.net point to a *new* server, which will then be able to notice "oh, people have something in their configuration, somewhere, which references ns-v6.ripe.net".
will this shed only collect the bikes or also release them and if so, what type of bikes will be available to those asking? -Peter
Hi, On Wed, Apr 25, 2018 at 09:24:26AM +0200, Peter Koch wrote:
On Tue, Apr 24, 2018 at 10:33:16PM +0200, Gert Doering wrote:
Thus: have ns-v6.ripe.net point to a *new* server, which will then be able to notice "oh, people have something in their configuration, somewhere, which references ns-v6.ripe.net".
will this shed only collect the bikes or also release them and if so, what type of bikes will be available to those asking?
We should form a committee to give you a quick and definite answer. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 24 Apr 2018, at 16:33, Gert Doering <gert@space.net> wrote:
Hi,
On Tue, Apr 24, 2018 at 04:25:59PM +0100, Jim Reid wrote:
Thanks Job. Though I wasn???t thinking (or caring) about github crapware. I was thinking about stuff that might have been written for internal use -- say at an ISP -- and would only show up whenever these scripts or whatever made queries for ns-v6.ripe.net.
I would say that such software needs to be broken, often, and hard.
I agree Gert. Though before we do that, it would be good to know what’ll break and what the impact of that will be*. Probably not much in this case. However better safe than sorry. * Consider the risk mitigation effort that had to be done when it emerged there was active cruft that couldn’t handle the root KSK rollover.
Gert Doering -- writer of scripts that do stupid things
Hey, that’s *my* job! I was here first. :-)
On 24/04/2018 16:48, Jim Reid wrote: Hi Jim,
Anand, could you clarify what you mean by “no longer in use”? Has it gone from all the reverse zones that referenced it? Are no more queries for ns-v6.ripe.net hitting the ripe.net name servers?
There are no domain objects in the RIPE Database, with "ns-v6.ripe.net" in their "nserver" attributes. The domains that are using "ns.ripe.net", when queried for NS records, only return "ns.ripe.net" and not "ns-v6.ripe.net". Checking for queries for "ns-v6.ripe.net" on the all the ripe.net name servers isn't possible, because we don't have access to query logs of the servers that provide us with secondary DNS service. Even if we *could* look at the queries, and they showed queries for "ns-v6.ripe.net", it doesn't mean that the name is in use.
I’m wondering if the name might still be hard-wired into scripts or provisioning/testing tools.
It may be hard-wired in some scripts, and if so, they may produce an error. However, it is not used as the target of any NS records that we are aware of, so I don't expect any major outages. Regards, Anand
On 24 Apr 2018, at 16:07, Anand Buddhdev <anandb@ripe.net> wrote:
Even if we *could* look at the queries, and they showed queries for "ns-v6.ripe.net", it doesn't mean that the name is in use.
Well, I would say that if the name’s in the query traffic, that means it’s “in use”. For some definition of that term. YMMV.
I’m wondering if the name might still be hard-wired into scripts or provisioning/testing tools.
It may be hard-wired in some scripts, and if so, they may produce an error. However, it is not used as the target of any NS records that we are aware of, so I don't expect any major outages.
OK. Thanks for that Anand.
On 24/04/2018 17:28, Jim Reid wrote: Hi Jim,
Well, I would say that if the name’s in the query traffic, that means it’s “in use”. For some definition of that term. YMMV.
I respectfully disagree. A human may idly query the name ns-v6.ripe.net out of curiosity. If they happened to use one of these shiny new resolvers that do pre-fetching to keep an entry alive, the queries for that name will persist for a long time, and perhaps even forever. I don't consider this to be genuine usage. Geoff Huston has done some interesting research in this area and shown that even single-use unique names, generated for a special purpose, end up being queried for weeks or months thereafter. Regards, Anand
I respectfully disagree. A human may idly query the name ns-v6.ripe.net out of curiosity. If they happened to use one of these shiny new resolvers that do pre-fetching to keep an entry alive, the queries for that name will persist for a long time, and perhaps even forever. I don't consider this to be genuine usage. Geoff Huston has done some interesting research in this area and shown that even single-use unique names, generated for a special purpose, end up being queried for weeks or months thereafter.
long being a naggumite, i'm with gert. drop the junk on the floor. randy
participants (6)
-
Anand Buddhdev -
Gert Doering -
Jim Reid -
Job Snijders -
Peter Koch -
Randy Bush