North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: How common is lack of DNS server diversity?
<Root server> ::= Any DNS server that has final authority for a <domain tier/level>; <domain tier/level> ::= root, TLD, SLD, 3LD, ... nLD (0LD, 1LD, 2LD, ... ,nLD). This is not to be confused with root level servers that have specific authority for dot, at the root level (0LD). One thing missing from the RFC specs for authoritative name servers, which Kashpureff demonstrated so nicely, cache poisoning is possible at ALL levels. Ergo, I thought that it was determined as best practice that; Name Servers that were offered up, as references, should be root for that level. That is, they should be non-recursive. This includes all NS references in all zone files. What should occur is that an org setup zone level roots and then use separate resolving servers for client access to the DNS. This is a two-tier structure with the primary tier being non-resursive. Ergo, within a <domain tier> there are operational tiers for root services and resolving services, per zone authority. RFC2870 only discusses this at the 0LD and only touches it lightly at other LDs. Another thing missing is a further definition of <authoritative>. Some of us have been working with the following; <Authoritative servers> ::= <zone authority>|<domain level authority>|<authoritative resolvers> <zone authority> ::= Final authority for a zone, non recursive. <domain level authority> ::= Final authority for a DL, non recursive (ie a.root-servers.net, gtld-servers.net, etc). <authoritative resolvers> ::= recursive servers, intended for use by clients, that claim authority for their specific zones. These include stub-resolvers. BTW, I consider RFC2870 antiquated, because it presupposes an architecture which may be outmoded or becoming outmoded rapidly. Load balancing and clustering technology makes RFC2870 an unnecessary waste of resources and can even get you into trouble. Yes, some of this is from work done on the ORSC roots. Yes, one of the largest problems we have had to overcome, at ORSC, IFWP, and ICANN/DNSO discussions, were semantic problems caused by overly simplistic and generic semantics. This in some part, explains why MSFT had to develop their own semantics, the current semantics are inadequate. As we all should know, semantics constrains design concepts. However, in such a case, designers will create their own semantics to route around the problem. This happened at MSFT, ORSC, and other places that didn't join/agree/submit to namedroppers. -- ROELAND M.J. MEYER Information Technology Architect Morgan Hill Software Company, Inc. TEL: +001 925 373 3954 FAX: +001 925 373 9781 http://www.mhsc.com mailto: email@example.com > -----Original Message----- > From: firstname.lastname@example.org > [mailto:email@example.com] > Sent: Saturday, January 27, 2001 12:51 PM > To: firstname.lastname@example.org > Cc: email@example.com; firstname.lastname@example.org; email@example.com > Subject: Re: How common is lack of DNS server diversity? > > > > > > > More interestingly, how many root servers allow > recursive lookup? > > > > > > a quick looping probe shows that none of them do, nor the > gTLD servers > > > (phew!) although L.ROOT-SERVERS.NET and H.GTLD-SERVERS.NET > > > are unreachable > > > from my view. Preparing an accurate list of all TLD servers > > > glued in the > > > root zone will take a little longer. > > > > I was taking about root servers at ALL levels, not just the root. > > > > Perhaps you are using the term "root servers" in a different > manner than I am used to. For me: > > "Root Server" = a DNS server for the zone "." in the Internet. > > What do you mean by "root servers at ALL levels, not > just the root." > That construction just does not parse. > > --bill >