in-addr.arpa zone data in RIPE database
Folks, since we have observed many inconsistencies between the RIPE database and the DNS regarding reverse mapping zones in in-addr.arpa we have developed a little checking script. The current output can be found in ftp.ripe.net:ripe/ripe-op/in-addr.check It lists all networks for which discrepancies have been detected as follows: First the RIPE database entry in short format: *in: 128.131.0.0 *na: TUNET-F *de: LAN Technical University of Vienna *cy: AT *ac: Johannes Demel *tc: Johannes Demel *co: LOCAL *as: 697 *rz: tunamea.tuwien.ac.at tunameb.tuwien.ac.at *ch: demel@noc.tuwien.ac.at 930202 *so: RIPE Then a list of all reverse servers as listed in the database: DB servers: tunamea.tuwien.ac.at tunameb.tuwien.ac.at Then a list of all reverse servers found in the DNS: DNS servers: Then a diagnostic each server which has something wrong: tunamea.tuwien.ac.at: only in DB and not reverse server for 128.131.0.0! tunameb.tuwien.ac.at: only in DB and not reverse server for 128.131.0.0! Then a list of suggested actions to resolve the inconsistency: DB remove 128.131.0.0: tunamea.tuwien.ac.at tunameb.tuwien.ac.at Note that the recommended actions are not the only way to resolve the problem. In the example above one could also set up the name servers and register them in the DNS. The script tries the shortes path. Please go through the list and see wether any of your nets needs action. Questions: Should we automatically make the suggested changes in the RIPE database? Or should we send mail to the technical contacts asking them to change things? We have asked the NIC accept change notices from us, so that registration of reverse servers in the database would be enough to get them into the DNS. Is this desirable? Daniel By way of example here is the start of the current file: *in: 128.131.0.0 *na: TUNET-F *de: LAN Technical University of Vienna *cy: AT *ac: Johannes Demel *tc: Johannes Demel *co: LOCAL *as: 697 *rz: tunamea.tuwien.ac.at tunameb.tuwien.ac.at *ch: demel@noc.tuwien.ac.at 930202 *so: RIPE DB servers: tunamea.tuwien.ac.at tunameb.tuwien.ac.at DNS servers: tunamea.tuwien.ac.at: is only in DB and is not reverse server for 128.131.0.0! tunameb.tuwien.ac.at: is only in DB and is not reverse server for 128.131.0.0! DB remove 128.131.0.0: tunamea.tuwien.ac.at tunameb.tuwien.ac.at *in: 129.177.0.0 *na: BERGEN-NET *de: Bergen University, Norway *cy: NO *ac: Kenneth Hostland *tc: Kenneth Hostland *co: NORDU RIPE NSF *as: 224 *gw: kth *rz: alf.uib.no eik.ii.uib.no aun.uninet.no *ch: ripe-dbm@ripe.net 920914 *so: RIPE DB servers: alf.uib.no aun.uninet.no eik.ii.uib.no DNS servers: alf.uib.no aun.uninett.no eik.ii.uib.no aun.uninet.no: is only in DB and does not exist! aun.uninett.no: is only in DNS and is OK DB add 129.177.0.0: aun.uninett.no DB remove 129.177.0.0: aun.uninet.no note: obiously a spelling error in the database *in: 129.206.0.0 *na: HD-NET *de: University of Heidelberg *de: BelWue *cy: DE *ac: Michael Hebgen *tc: Lothar Binding *tc: Peter Merdian *co: RIPE NSF WIN *rl: HEPNET *bl: DESY *as: 553 *gw: crn *rz: sun0.URZ.Uni-Heidelberg.DE sun1.URZ.Uni-Heidelberg.DE noc.BelWue.DE ns.Germany.EU.net deins.Informatik.Uni-Dortmund.DE *ch: rv@Informatik.Uni-Dortmund.DE 920530 *ch: ar@deins.Informatik.Uni-Dortmund.DE 920601 *ch: ripe-dbm@ripe.net 920602 *so: RIPE DB servers: deins.informatik.uni-dortmund.de noc.belwue.de ns.germany.eu.net sun0.urz.uni-heidelberg.de sun1.urz.uni-heidelberg.de DNS servers: sun0.urz.uni-heidelberg.de sun1.urz.uni-heidelberg.de deins.informatik.uni-dortmund.de: is only in DB and is OK noc.belwue.de: is only in DB and is OK ns.germany.eu.net: is only in DB and is OK DNS add 129.206.0.0: deins.informatik.uni-dortmund.de noc.belwue.de ns.germany.eu.net note: the DNS is missing some servers *in: 130.37.0.0 *na: VU-NET *de: Vrije Universiteit Amsterdam *de: Amsterdam *cy: NL *ac: Jacques Schuurman *tc: Jacques Schuurman *co: RIPE NSF SARA SURF *gw: cwi *rz: ohrid.cca.vu.nl *rz: star.cs.vu.nl *ch: dfk@cwi.nl 900802 *ch: Erik-Jan.Bos@surfnet.nl 920708 *ch: Erik-Jan.Bos@surfnet.nl 920708 *ch: ripe-dbm@ripe.net 920708 *ch: martijn@nluug.nl 921110 *so: RIPE DB servers: ohrid.cca.vu.nl star.cs.vu.nl DNS servers: hardy.nat.vu.nl ohrid.cca.vu.nl star.cs.vu.nl hardy.nat.vu.nl: is only in DNS and is OK DB add 130.37.0.0: hardy.nat.vu.nl *in: 130.192.0.0 *na: TORINO-IT-LAN *de: Politecnico di Torino *de: CISIP *cy: IT *ac: Silvano Gai *tc: Antonio Lioy *co: GARR *as: 137 *rz: 130.192.2.91 leonardo.polito.it *rz: 130.192.2.117 galileo.polito.it *rz: 130.192.3.1 ercole.polito.it *rz: 192.12.192.5 dns.nis.garr.it *rm: LAN's and MAN connecting University departments and *rm: research institutes located in or near Torino *rm: fully managed *ch: ip-reg@nis.garr.it 930115 *so: RIPE DB servers: dns.nis.garr.it ercole.polito.it galileo.polito.it jolly.nis.garr.it leonardo.polito.it DNS servers: dns.nis.garr.it ercole.polito.it galileo.polito.it leonardo.polito.it jolly.nis.garr.it: is only in DB and is OK DNS add 130.192.0.0: jolly.nis.garr.it note: the addresses in the database are not conforming to the database format, but the script resolves them and deletes duplicate entries *in: 130.231.0.0 *na: OUNET *de: University Ethernet network *de: Oulu University *de: Oulu *cy: FI *ac: Kaisu Ranta *tc: Raimo Salo *co: NORDU RIPE NSF FUNET *as: 1741 *rz: ousrvr.oulu.fi *ch: lk-kr@finou.oulu.fi 930119 *so: RIPE DB servers: ousrvr.oulu.fi DNS servers: hydra.helsinki.fi ousrvr.oulu.fi hydra.helsinki.fi: is only in DNS and is OK DB add 130.231.0.0: hydra.helsinki.fi *in: 130.251.0.0 *na: GENUANET *de: Universita' degli Studi di Genova *cy: IT *ac: Pier Paolo Puliafito *tc: Tiziana Podesta' *co: GARR *as: 137 *rz: 192.148.193.8 sun.cisi.unige.it SUN UNIX *rz: 130.251.1.4 dist.dist.unige.it SUN UNIX *rm: Multiple interconnected LANs of academic institutes *rm: located in Genoa *ch: ip-reg@nis.garr.it 930210 *so: RIPE DB servers: dist.dist.unige.it sun sun.cisi.unige.it unix DNS servers: carla.dist.unige.it dist.dist.unige.it nameserver.cnr.it carla.dist.unige.it: is only in DNS and is not responding! nameserver.cnr.it: is only in DNS and is OK sun: is only in DB and does not exist! sun.cisi.unige.it: is only in DB and is OK unix: is only in DB and does not exist! DB add 130.251.0.0: nameserver.cnr.it DNS add 130.251.0.0: sun.cisi.unige.it DB remove 130.251.0.0: sun unix note: "interesting" syntax server data seems out of date *in: 131.114.0.0 *na: PISA-NET *de: Consiglio Nazionale delle Ricerche *de: Pisa *cy: IT *ac: Marco Sommani *tc: Vittorio Miori *co: GARR *as: 137 *rz: 192.12.192.4 nameserver.cnr.it *rz: 128.84.254.152 odin.cs.cornell.edu *rz: 131.114.1.32 itgbox.cnuce.cnr.it *rz: 192.65.81.6 ns.surfnet.nl *rz: 131.114.21.10 serra.unipi.it *rm: Multiple-Lan of CNR institutes and University departments in Pisa *rm: This net belongs to the nation-wide CNRnet, coordinated *rm: thru the cnr-core working group. CNRnet is member of GARR. *ch: ip-reg@nis.garr.it 930204 *so: RIPE DB servers: itgbox.cnuce.cnr.it nameserver.cnr.it ns.surfnet.nl odin.cs.cornell.edu serra.unipi.it survey.surfnet.nl DNS servers: itgbox.cnuce.cnr.it nameserver.cnr.it ns.surfnet.nl odin.cs.cornell.edu serra.unipi.it survey.surfnet.nl: is only in DB and is OK DNS add 131.114.0.0: survey.surfnet.nl *in: 131.155.0.0 *na: TUENET1 *de: Technische Universiteit Eindhoven *de: Eindhoven *cy: NL *ac: Joop Schillemans *tc: Joep Brand *co: RIPE NSF SURF *ni: 1=590 *rz: tuegate.tue.nl *ch: piet@cwi.nl 910501 *so: RIPE DB servers: tuegate.tue.nl DNS servers: rc6.urc.tue.nl tuegate.tue.nl rc6.urc.tue.nl: is only in DNS and is OK DB add 131.155.0.0: rc6.urc.tue.nl *in: 131.174.0.0 *na: NUNET *de: Universiteit Nijmegen *de: Nijmegen *cy: NL *ac: Jos Alsters *ac: Peter van Campen *tc: Jos Alsters *tc: Peter van Campen *co: RIPE NSF SURF *ni: 1=590 *rz: wn1.sci.kun.nl *rz: wn3.sci.kun.nl *ch: piet@cwi.nl 910501 *so: RIPE DB servers: wn1.sci.kun.nl wn3.sci.kun.nl DNS servers: wn0.sci.kun.nl wn3.sci.kun.nl wn0.sci.kun.nl: is only in DNS and is OK wn1.sci.kun.nl: is only in DB and does not exist! DB add 131.174.0.0: wn0.sci.kun.nl DB remove 131.174.0.0: wn1.sci.kun.nl *in: 131.211.0.0 *na: RUUNET *de: Universiteit Utrecht *de: Utrecht *cy: NL *ac: Dre Hopmans *tc: Dre Hopmans *co: RIPE NSF SURF *ni: 1=590 *rz: accucx.cc.ruu.nl *rz: praxis.cs.ruu.nl *ch: piet@cwi.nl 910501 *so: RIPE DB servers: accucx.cc.ruu.nl praxis.cs.ruu.nl DNS servers: accucx.cc.ruu.nl infix.cs.ruu.nl kali.cc.ruu.nl infix.cs.ruu.nl: is only in DNS and is OK kali.cc.ruu.nl: is only in DNS and is OK praxis.cs.ruu.nl: is only in DB and is not responding! DB add 131.211.0.0: infix.cs.ruu.nl kali.cc.ruu.nl
Questions: Should we automatically make the suggested changes in the RIPE database? No. Or should we send mail to the technical contacts asking them to change things? Yes. We have asked the NIC accept change notices from us, so that registration of reverse servers in the database would be enough to get them into the DNS. Is this desirable? NO!! These actions would bring RIPE on the edge of interfering with the responsabilities of the authoritative persons for a given zone, be it for "forward" or reverse mapping. The best RIPE can do is to send a notification to the authority of a given zone in case of obvious *errors*, NOT if servers are missing in the DB, since there may be good reason why they are "missing". Suppose I would be in foo.XX and I would have a large network with, say, 10 internal and 2 external nameservers for my domain; if I would loose connectivity to the outside world, those 10 internal nameservers would be unreachable and it would be pointless to have nameservers all over the Internet try to query them all. Therefore I would have only, say, 2 internal and the 2 external servers listed for foo.XX in the XX zone file and in the RIPE DB and I would absolutely not appreciate it if RIPE would send me time and again a notification that there are more servers for foo.XX than actually listed in the XX zone or the DB. Piet
Questions: Should we automatically make the suggested changes in the RIPE database? No.
I agree because there could be some cases which are not properly detected by the automated scripts or other cases where a dns-manager is voluntarily keeping things disalligned
Or should we send mail to the technical contacts asking them to change things? Yes.
I agree because many dns-managers do not even know of their registration problems.
We have asked the NIC accept change notices from us, so that registration of reverse servers in the database would be enough to get them into the DNS. Is this desirable? NO!!
I do not agree, I think it would be very useful to the European networking community to interact with RIPE-NCC only instead of having to interact with both RIPE-NCC and the US NIC I don't see the point in what Piet says:
These actions would bring RIPE on the edge of interfering with the responsabilities of the authoritative persons for a given zone, be it for "forward" or reverse mapping. The best RIPE can do is to send a notification to the authority of a given zone in case of obvious *errors*, NOT if servers are missing in the DB, since there may be good reason why they are "missing". Suppose I would be in foo.XX and I would have a large network with, say, 10 internal and 2 external nameservers for my domain; if I would loose connectivity to the outside world, those 10 internal nameservers would be unreachable and it would be pointless to have nameservers all over the Internet try to query them all. Therefore I would have only, say, 2 internal and the 2 external servers listed for foo.XX in the XX zone file and in the RIPE DB and I would absolutely not appreciate it if RIPE would send me time and again a notification that there are more servers for foo.XX than actually listed in the XX zone or the DB.
If you "have only, say, 2 internal and the 2 external servers listed for foo.XX in the XX zone file" how could the RIPE-NCC script discover the other 8 internal servers? Looking in glass ball? ---------- ---------- Antonio_Blasco Bonito E-Mail: bonito@nis.garr.it GARR - Network Information Service c=it;a=garr;p=garr;o=nis;s=bonito c/o CNUCE - Istituto del CNR Tel: +39 (50) 593246 Via S. Maria, 36 Telex: 500371 CNUCE I 56126 PISA Italy Fax: +39 (50) 904052 ---------- ----------
> > We have asked the NIC accept change notices from us, so tha t > registration of reverse servers in the database would be > enough to get them into the DNS. Is this desirable? > NO!! I do not agree, I think it would be very useful to the European networking community to interact with RIPE-NCC only instead of having to interact with both RIPE-NCC and the US NIC Interaction is fine. But RIPE stepping into someone else's authority is quite something different! I don't see the point in what Piet says: ..... If you "have only, say, 2 internal and the 2 external servers listed for foo.XX in the XX zone file" how could the RIPE-NCC script discover the other 8 internal servers? Looking in glass ball? Reread the original message: it explicitly contained a sentence: Then a list of all reverse servers found in the DNS: which implies that DNS is queried to find all (in this case reverse) nameservers. How that's done is irrelevant. Piet
> > We have asked the NIC accept change notices from us, so tha t > registration of reverse servers in the database would be > enough to get them into the DNS. Is this desirable? > NO!! I do not agree, I think it would be very useful to the European networking community to interact with RIPE-NCC only instead of having to interact with both RIPE-NCC and the US NIC Interaction is fine. But RIPE stepping into someone else's authority is quite something different!
I don't see any problem with that as long as we (european networking people) agree to send update to the RIPE-NCC instead of sending them to the NIC. This is exactly what we already do when registering new networks. Is there anybody who liked more the previous situation (having to wait many days, frequent errors in the database, etc) than the present one? I don't see any difference between registering a new network and registrering inverse nameservers for a network. I only need a place where to send my updates that can guarantee that they are put in the proper servers...
I don't see the point in what Piet says: ..... If you "have only, say, 2 internal and the 2 external servers listed for foo.XX in the XX zone file" how could the RIPE-NCC script discover the other 8 internal servers? Looking in glass ball? Reread the original message: it explicitly contained a sentence: Then a list of all reverse servers found in the DNS: which implies that DNS is queried to find all (in this case reverse) nameservers. How that's done is irrelevant.
If you do not list server in the authoritative zone file they ARE NOT FOUND in the DNS. In fact it makes no sense to list Internet unreachable servers in a zone file which is exported to the world by an Internet connected server ---------- ---------- Antonio_Blasco Bonito E-Mail: bonito@nis.garr.it GARR - Network Information Service c=it;a=garr;p=garr;o=nis;s=bonito c/o CNUCE - Istituto del CNR Tel: +39 (50) 593246 Via S. Maria, 36 Telex: 500371 CNUCE I 56126 PISA Italy Fax: +39 (50) 904052 ---------- ----------
Interaction is fine. But RIPE stepping into someone else's authority is quite something different! I don't see any problem with that as long as we (european networking people) agree to send update to the RIPE-NCC instead of sending them to the NIC. RIPE-DB and DNS are entirely different objects. I would like RIPE to notify me *in some cases* about discrepancies between my entries in the RIPE-DB and my DNS entries, but I do *NOT* want RIPE to step into my authority by asking or telling the NIC to change *MY* DNS info because they found discrepancies: I may well have good reason why those discrepancies exist. Piet
Interaction is fine. But RIPE stepping into someone else's authority is quite something different! I don't see any problem with that as long as we (european networking people) agree to send update to the RIPE-NCC instead of sending them to the NIC. RIPE-DB and DNS are entirely different objects.
Yes, indeed. Nonetheless I think it would be extremely useful for network managers in Europe to send their DNS updates to the RIPE-NCC only, knowing that they interface the NIC about the DNS root servers updates. Daniel, you can poll RIPErs on this, can you?
I would like RIPE to notify me *in some cases* about discrepancies between my entries in the RIPE-DB and my DNS entries, but I do *NOT* want RIPE to step into my authority by asking or telling the NIC to change *MY* DNS info because they found discrepancies: I may well have good reason why those discrepancies exist. If someone in Europe likes to have discrepancies, for whatever reason, he can certainly tell to RIPE-NCC: please do not forward my updates to the NIC!
---------- ---------- Antonio_Blasco Bonito E-Mail: bonito@nis.garr.it GARR - Network Information Service c=it;a=garr;p=garr;o=nis;s=bonito c/o CNUCE - Istituto del CNR Tel: +39 (50) 593246 Via S. Maria, 36 Telex: 500371 CNUCE I 56126 PISA Italy Fax: +39 (50) 904052 ---------- ----------
Hi, I think that the current apparent disagreement between Piet Beertema and Antonio Blasco Bonito is no real disagreement. What I think Piet objects to, is that the RIPE NCC, after querying the DNS (which in far, far too many cases is misconfigured), would take the results and automatically 1) carry out a database update in the RIPE DB 2) forward a change request to the US NIC on the basis of the DNS information I fully agree with Piet that this is a bad idea. Nevertheless, I think it is a good idea to sometimes carry out a "consistency check" between what is in the RIPE database and what is actually registered in the DNS. In that case, it would probably be nice to register "known inconsistencies" (in the vein that Piet suggested, and which is in use for eg. dec.com -- use your favourite lookup tool), so that one is not reminded of the same "error" lots of times. What I think Antonio is saying, is that it would be nice to only have to send in registration for a network to the RIPE NCC, and include the "rev-srv" attribute, and that this information could be forwarded to the US NIC for them to do the corresponding addition/change in in-addr.arpa. I also happen to agree with Antonio that this is a good idea. As for the 129.177 network, umm... :-) I'll send in an update. Regards, - Havard
What I think Piet objects to, is that the RIPE NCC, after querying the DNS (which in far, far too many cases is misconfigured), would take the results and automatically 1) carry out a database update in the RIPE DB 2) forward a change request to the US NIC on the basis of the DNS information That's indeed exactly what I'm objection to, since that comes down to RIPE stepping into the authority of the really responsible persons. Nevertheless, I think it is a good idea to sometimes carry out a "consistency check" between what is in the RIPE database and what is actually registered in the DNS. In that case, it would probably be nice to register "known inconsistencies" (in the vein that Piet suggested, and which is in use for eg. dec.com -- use your favourite lookup tool), so that one is not reminded of the same "error" lots of times. Fully agreed. What I think Antonio is saying, is that it would be nice to only have to send in registration for a network to the RIPE NCC, and include the "rev-srv" attribute, and that this information could be forwarded to the US NIC for them to do the corresponding addition/ change in in-addr.arpa. I also happen to agree with Antonio that this is a good idea. I agree that this would indeed be a good idea, on the provision that not RIPE, but the person submitting the registrations/changes is taken to be authoritative in the NIC's database. Piet
What I think Piet objects to, is that the RIPE NCC, after querying the DNS (which in far, far too many cases is misconfigured), would take the results and automatically 1) carry out a database update in the RIPE DB 2) forward a change request to the US NIC on the basis of the DNS information That's indeed exactly what I'm objection to, since that comes down to RIPE stepping into the authority of the really responsible persons.
Nevertheless, I think it is a good idea to sometimes carry out a "consistency check" between what is in the RIPE database and what is actually registered in the DNS. In that case, it would probably be nice to register "known inconsistencies" (in the vein that Piet suggested, and which is in use for eg. dec.com -- use your favourite lookup tool), so that one is not reminded of the same "error" lots of times. Fully agreed.
What I think Antonio is saying, is that it would be nice to only have to send in registration for a network to the RIPE NCC, and include the "rev-srv" attribute, and that this information could be forwarded to the US NIC for them to do the corresponding addition/ change in in-addr.arpa. I also happen to agree with Antonio that this is a good idea. I agree that this would indeed be a good idea, on the provision that not RIPE, but the person submitting the registrations/changes is taken to be authoritative in the NIC's database.
Piet
Many thanks to Havard !!! I agree on everything above. ---------- ---------- Antonio_Blasco Bonito E-Mail: bonito@nis.garr.it GARR - Network Information Service c=it;a=garr;p=garr;o=nis;s=bonito c/o CNUCE - Istituto del CNR Tel: +39 (50) 593246 Via S. Maria, 36 Telex: 500371 CNUCE I 56126 PISA Italy Fax: +39 (50) 904052 ---------- ----------
To summarise and conclude from the discussion: All comments -also the ones sent to me privately- were unanimous on this: There will be no automatic updates of the RIPE DB. If database information is believed to be inconsistent the rechnical contact persons will be notified together with suggested corrections. They can then decide whether to send in the suggested corrections. What remains open is the question on whether in-addr.arpa zone registrations should be effected automatically by registering the 'rev-srv' field in the RIPE database. I have had quite a few comments from people who want this and I personally agree it would be a nice feature. Some people actually assumed this was the way it was working already and complained that they had to register in-addr.arpa separately with the NIC! I do not see Piet's argument that this would mean a loss of authority of the network contacts. They have the same authority for changing the RIPE database than they have for changing the NIC database which then generates the in-addr.arpa zone information. Just the procedure would be different, and easier: One stop shopping with no additional cost (and no warranty of agency :-), sorry inside joke). So my proposal would be to do this in steps: First clean up the inconsistencies in the RIPE database using the procedure above. Then populate the database with the current in-addr.arpa information, notifying the tech contacts of each change. After these two steps the information in in-addr.arpa and both the NIC and RIPE databases is consistent. Then initiate changes of in-addr.arpa whenever the 'rev-srv' attribute in the RIPE DB is changed. This means the one stop shopping is effective. Until confidence is built we can notify the tech contacts whenever such a change is made. Is this acceptable? Daniel
What remains open is the question on whether in-addr.arpa zone registrations should be effected automatically by registering the 'rev-srv' field in the RIPE database. I have had quite a few comments from people who want this and I personally agree it would be a nice feature. I do not see Piet's argument that this would mean a loss of authority of the network contacts. This form of "indirect registration" would indeed not mean loss of authority. The problem remains though that separate functions - DB and DNS - become intermixed here. And then whom do you contact/tell/flame if the root servers contain wrong information? An indirect way of correcting things via submissions to the RIPE DB in my view is far from ideal, as it may well introduce unnecessary delays. And once you start doing such things for the reverse servers, the next step may well be doing the same for "forward servers"; then how can e.g. a top level domain registrar determine whether a given change is valid, e.g. comes from an authoritative person? Piet
An indirect way of correcting things via submissions to the RIPE DB in my view is far from ideal, as it may well introduce unnecessary delays.
Soon this argument will be moot for at least 193.in-addr.arpa...
And once you start doing such things for the reverse servers, the next step may well be doing the same for "forward servers"; then how can e.g. a top level domain registrar determine whether a given change is valid, e.g. comes from an authoritative person?
Call (ie. phone) the supplied administrative contact person? How do you ensure authority today? - Havard
An indirect way of correcting things via submissions to the RIPE DB in my view is far from ideal, as it may well introduce unnecessary delays. Soon this argument will be moot for at least 193.in-addr.arpa... True. Now if only the world consisted solely of 193.in-addr.arpa... ....then how can e.g. a top level domain registrar determine whether a given change is valid, e.g. comes from an authoritative person? How do you ensure authority today? By checking against my TLD admin files. Piet
What remains open is the question on whether in-addr.arpa zone registrations should be effected automatically by registering the 'rev-srv' field in the RIPE database. I have had quite a few comments from people who want this and I personally agree it would be a nice feature. I do not see Piet's argument that this would mean a loss of authority of the network contacts. This form of "indirect registration" would indeed not mean loss of authority. The problem remains though that separate functions - DB and DNS - become intermixed here. And then whom do you contact/tell/flame if the root servers contain wrong information? An indirect way of correcting things via submissions to the RIPE DB in my view is far from ideal, as it may well introduce unnecessary delays. And once you start doing such things for the reverse servers, the next step may well be doing the same for "forward servers"; then how can e.g. a top level domain registrar determine whether a given change is valid, e.g. comes from an authoritative person?
There no need to do that for forward servers because they are structured as a distributed three and the authority is delegated at each level. In practice today the US NIC does not check at all if a rev-srv change comes from an "authoritative person" because they do not check where the mail request comes from and it is practically impossible for them to pick a phone an call someone in Europe. So this is not the point. ---------- ---------- Antonio_Blasco Bonito E-Mail: bonito@nis.garr.it GARR - Network Information Service c=it;a=garr;p=garr;o=nis;s=bonito c/o CNUCE - Istituto del CNR Tel: +39 (50) 593246 Via S. Maria, 36 Telex: 500371 CNUCE I 56126 PISA Italy Fax: +39 (50) 904052 ---------- ----------
Daniel Karrenberg says:
What remains open is the question on whether in-addr.arpa zone registrations should be effected automatically by registering the 'rev-srv' field in the RIPE database. I have had quite a few comments from people who want this and I personally agree it would be a nice feature. Some people actually assumed this was the way it was working already and complained that they had to register in-addr.arpa separately with the NIC!
I do not see Piet's argument that this would mean a loss of authority of the network contacts. They have the same authority for changing the RIPE database than they have for changing the NIC database which then generates the in-addr.arpa zone information. Just the procedure would be different, and easier: One stop shopping with no additional cost (and no warranty of agency :-), sorry inside joke).
So my proposal would be to do this in steps:
First clean up the inconsistencies in the RIPE database using the procedure above.
Then populate the database with the current in-addr.arpa information, notifying the tech contacts of each change.
After these two steps the information in in-addr.arpa and both the NIC and RIPE databases is consistent.
Then initiate changes of in-addr.arpa whenever the 'rev-srv' attribute in the RIPE DB is changed. This means the one stop shopping is effective. Until confidence is built we can notify the tech contacts whenever such a change is made.
Is this acceptable?
YES, I very much agree with this plan. I have to say, commenting some other mail on the subject, that the DNS is a distributed database BUT the in-addr.arpa registration is indeed a centralized service, so I prefer very much to have the RIPE-NCC as my counterpart in this tedious matter, rather than the US NIC. The NCC has proven to much more efficient and responsive than the US NIC. Full stop. ---------- ---------- Antonio_Blasco Bonito E-Mail: bonito@nis.garr.it GARR - Network Information Service c=it;a=garr;p=garr;o=nis;s=bonito c/o CNUCE - Istituto del CNR Tel: +39 (50) 593246 Via S. Maria, 36 Telex: 500371 CNUCE I 56126 PISA Italy Fax: +39 (50) 904052 ---------- ----------
participants (5)
-
bonito@nis.garr.it -
Daniel Karrenberg -
Havard Eidnes -
Piet Beertema -
Piet.Beertema@mcsun.EU.net