Experiments on production DNS (was: Re: NS.EU.NET running NSD)
As far as I remember, on 1 October 2002 people using ns.EU.net as secondary for their zones received the following announcement from RIPE NCC (just stating the significant part):
We, the RIPE NCC, host the nameserver ns.eu.net since the beginning of June 2002 as a service to the Internet community, to give the administrators of the large number of domains that ns.eu.net is still running secondary nameservice for, ample time to stop referencing to it.
We cannot provide this service indefinitely and are planning to stop running ns.eu.net in 1 month time, in the beginning of November 2002.
Despite of the warning, ns.EU.net continued to operate normally after November 2002. Well, many people probably appreciate this. However, since few days ago a lot of ccTLD administrators started to complain about reachability of ns.EU.net. Today we got the explanation about it:
Since January 13, the RIPE NCC is running the NS.EU.NET nameserver with a new software, NSD ( http://www.nlnetlabs.nl/nsd ).
Well, experimenting is just fine, but don't you think people should have been warned in advance? I don't need ns.EU.net anymore, since I moved all domains we need to another server. However, some ccTLD's are still using it and blaming our company for the problems, since EU.net domain is still owned and operated by us. Your argument might be that "they had enough time to migrate". True. You are free to remove them completely from ns.EU.net, but as long as ns.EU.net is a live box and serves as a DNS - it is a part of production environment. Would you, please, take a look into 4 ccTLD's that return NXDOMAIN and take care they continue to have normal service: al ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 bg ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 tp ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 zw ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 Their primaries are: al 146.48.65.46 bg 192.92.129.1 tp 194.106.128.50 zw 194.133.122.47 Regards, Beri --------- Berislav Todorovic, Senior IP Specialist -------- ----- KPN Eurorings B.V. - IP Engineering/NOC/Support ----- ---- Telecomplein 5, 2516 CK Den Haag, NL ---- ----- Email: beri@eurorings.net <=> beri@EU.net ----
"Berislav" == Berislav Todorovic <beri@eurorings.net> writes:
Berislav> As far as I remember, on 1 October 2002 people using Berislav> ns.EU.net as secondary for their zones received the Berislav> following announcement from RIPE NCC (just stating the Berislav> significant part): >>> We, the RIPE NCC, host the nameserver ns.eu.net since the >>> beginning of June 2002 as a service to the Internet community, >>> to give the administrators of the large number of domains that >>> ns.eu.net is still running secondary nameservice for, ample >>> time to stop referencing to it. >>> >>> We cannot provide this service indefinitely and are planning >>> to stop running ns.eu.net in 1 month time, in the beginning of >>> November 2002. Berislav> Despite of the warning, ns.EU.net continued to operate Berislav> normally after November 2002. Well, many people probably Berislav> appreciate this. May be, but that's MORE THAN TWO MONTHS after the deadline. RIPE NCC pretty much said all bets would be off after Nov 1st. Nobody should have planned on that server staying alive after the date given unless a revised one was published. RIPE NCC gave a 5 month warning of this deadline. That should have been more than enough time for the zones on that server to be found new homes, even with all the ICANN/DoC formalities to get the root zone updated. Berislav> However, since few days ago a lot of ccTLD Berislav> administrators started to complain about Berislav> reachability of ns.EU.net. Today we got the explanation Berislav> about it: >>> Since January 13, the RIPE NCC is running the NS.EU.NET >>> nameserver with a new software, NSD ( >>> http://www.nlnetlabs.nl/nsd ). This is not necessarily an explanation. ns.eu.net is up and running just fine. Berislav> Well, experimenting is just fine, but don't you think Berislav> people should have been warned in advance? They should have been. Though I have no idea whether this was done or not. Since I don't use that server, it's unlikely I would have been informed about the change of DNS software. Berislav> Your argument might be that "they had enough time to Berislav> migrate". True. You are free to remove them completely Berislav> from ns.EU.net, but as long as ns.EU.net is a live box Berislav> and serves as a DNS - it is a part of production Berislav> environment. This should not preclude the server running NSD. The code has been around for a while now and has been subjected to exhaustive testing. In a testbed, it was replayed a trace in real-time of the query traffic reaching k.root-servers.net. It worked just fine. Moving NSD on to ns.eu.net seems a reasonable step towards getting NSD into production use. That has to be a Good Thing since it increases the gene pool of DNS code. I'm sure the NCC folks would not have taken that step if they had doubts over the suitability of NSD. Berislav> Would you, please, take a look into 4 ccTLD's that Berislav> return NXDOMAIN and take care they continue to have Berislav> normal service: Berislav> al ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 Berislav> bg ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 Berislav> tp ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 Berislav> zw ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 This can have absolutely nothing to do with the complaint you have made. If ns.eu.net was dead, which it isn't, name servers would try the other authoritative servers for each of these TLDs. If none of them responded, you'd be getting connection time out errors, not NXDOMAIN. So complaints about the reachability of ns.eu.net don't stand up: at least not from the data you've provided. NXDOMAIN reponses cannot possibly be a consequence of connectivity problems because something has had to send back that response. QED. The fact you're reporting NXDOMAIN errors points to a different problem. A name server or servers are saying these TLDs don't exist, which is absurd. So there is a misconfigured server or some cache poisoning going on. That's got nothing to do with what name server software runs on ns.eu.net. Unless of course someone configured it to tell lies for these 4 TLDs.
On 17.01 15:18, Jim Reid wrote:
The fact you're reporting NXDOMAIN errors points to a different problem. A name server or servers are saying these TLDs don't exist, which is absurd. So there is a misconfigured server or some cache poisoning going on. That's got nothing to do with what name server software runs on ns.eu.net. Unless of course someone configured it to tell lies for these 4 TLDs.
Which is in fact what happened by accident. So ns.eu.net was telling lies about those TLDs for a short period until this was corrected. (More detail: It was configured with a root zone consisting of the bind root.cache file. So the server considered itself authoritative for the root but did not have a correct root zone file.) Lesson learned: Differences in nsd operation to bind need to be documented even more explicitly than they already are. Daniel
On Thu, Jan 16, 2003 at 11:18:11AM +0100, Berislav Todorovic <beri@eurorings.net> wrote a message of 56 lines which said:
However, some ccTLD's are still using it
BTW, they are not always at fault. As you know, for every change in the root zone (even to change a name server), ICANN requires that you sign a contract that most ccTLDs refuse (among other things, it requires the right for ICANN to AXFR your entire zone file, for ridiculous reasons, see <URL:http://www.centr.org/docs/statements/ICANN-Zone-Access-Comments.html>). Albanians, for instance, required the change many months ago but ICANN is still holding the change because they do not want to sign. French had a similar problem.
Your argument might be that "they had enough time to migrate". True.
Yes, they had, but ICANN/DoC bureaucrats hold them hostages.
You are free to remove them completely from ns.EU.net, but as long as ns.EU.net is a live box and serves as a DNS - it is a part of production environment.
IMHO, it is better to shut it down completely. The DNS behaves fine when a server is down, not when it is running and giving possibly wrong information (as ns.eu.net hosted by RIPE already did for former domains of EUnet-France). Otherwise, nsd is a very fine software :-) and I'm glad to see it used in production. Why not trying it on NS.RIPE.NET?
On 17.01 16:10, Stephane Bortzmeyer wrote:
On Thu, Jan 16, 2003 at 11:18:11AM +0100, Berislav Todorovic <beri@eurorings.net> wrote a message of 56 lines which said:
However, some ccTLD's are still using it
...
Albanians, for instance, required the change many months ago but ICANN is still holding the change because they do not want to sign. French had a similar problem.
Your argument might be that "they had enough time to migrate". True.
Yes, they had, but ICANN/DoC bureaucrats hold them hostages.
If people feel inclined to send e-mail about this subject, please address it to one or more of the persons mentioned on http://www.icann.org/general/abouticann.htm Daniel
On Mon, Jan 20, 2003 at 12:01:56PM +0100, Daniel Karrenberg <daniel.karrenberg@ripe.net> wrote a message of 22 lines which said:
Yes, they had, but ICANN/DoC bureaucrats hold them hostages.
If people feel inclined to send e-mail about this subject, please address it to one or more of the persons mentioned on
Funny joke, writing to ICANN when you disagree with them :-)
I am aware that RIPE is not ICANN and that ICANN Web server is www.icann.org. I just wanted to be sure that nobody left the thread with the impression that some ccTLD managers are lousy enough to take several months to make their paperwork when a nameserver changes. Now that the responsabilities have been clearly determined, we can go back to nsd.
----- Original Message ----- From: "Daniel Karrenberg" <daniel.karrenberg@ripe.net> To: "Stephane Bortzmeyer" <bortzmeyer@nic.fr> Cc: "Berislav Todorovic" <beri@eurorings.net>; <dns-wg@ripe.net> Sent: Monday, January 20, 2003 5:01 AM Subject: Re: Experiments on production DNS (was: Re: NS.EU.NET running NSD)
On 17.01 16:10, Stephane Bortzmeyer wrote:
On Thu, Jan 16, 2003 at 11:18:11AM +0100, Berislav Todorovic <beri@eurorings.net> wrote a message of 56 lines which said:
However, some ccTLD's are still using it
...
Albanians, for instance, required the change many months ago but ICANN is still holding the change because they do not want to sign. French had a similar problem.
Your argument might be that "they had enough time to migrate". True.
Yes, they had, but ICANN/DoC bureaucrats hold them hostages.
If people feel inclined to send e-mail about this subject, please address it to one or more of the persons mentioned on http://www.icann.org/general/abouticann.htm
Daniel
http://www.dnso.org/constituency/ncmembers.html philip.sheppard@aim.be mcade@att.com Grant.Forsyth@team.telstraclear.co.nz rcochetti@verisign.com ck@nic.museum Jordyn.Buchanan@Registrypro.com harris@cabase.org.ar tony.ar.holmes@bt.com greg_ruth@yahoo.com ehchun@peacenet.or.kr hfeld@mediaaccess.org faia@amauta.rcp.net.pe kstubbs@afilias.info philg@grabensee.com bruce.tonkin@melbourneit.com.au jse@adamspat.com Laurence_Djolakian@mpaa.org ellen@ellenshankman.com
participants (5)
-
Berislav Todorovic -
Daniel Karrenberg -
Jim Fleming -
Jim Reid -
Stephane Bortzmeyer