Re: [DNSOP] Fwd:

Tue, 08 May 2007 07:48:53 -0700 


On 8-May-2007, at 09:59, [EMAIL PROTECTED] wrote:


On 7-May-2007, at 23:04, Mark Andrews wrote:


        You say that one should not be worried about answers from
        these servers.  This needs to be clarified to state what a
        normal answer is both for PTR QUERY and UPDATE.  NXDOMAIN and
        REFUSED respectively.  A rogue as112 operator can cause
        operational problems.
I'm not convinced that this document needs that level of detail, aimed as it is squarely at the technically uninformed. I don't have very strong feelings about *not* including text to that effect, though. Would you like to propose some words for the draft? 


        Also explain why NXDOMAIN is a harmless response to QUERY.

        There should also be some discussion as to why they should
        address their configuration problem rather than just accept
        continue to accept the answers from the as112 servers.


Section 7 ("Corrective Measures") includes this text:

   Possible measures which might be taken to prevent these queries
   include:

   1.  Stop hosts from making these reverse DNS queries in the first
       place.  In some cases servers can be configured not to perform
       reverse DNS lookups, for example.  As a general site-wide
       approach, however, this measure is frequently difficult to
       implement due to the large number of hosts and applications
       involved.

   2.  Block reverse DNS queries to the AS112 servers from leaving the
site using firewalls between the site and the Internet. Although 
       this might appear to be sensible, such a measure might have
       unintended consequences: the inability to receive an answer to
       reverse DNS queries might lead to long DNS lookup timeouts, for
       example, which could cause applications to malfunction.
3. Configure all DNS resolvers in the site to answer authoritatively 
       for the zones corresponding to the private-use address blocks in
       use.  This should prevent resolvers from ever needing to send
       these queries to the public DNS.  Guidance and recommendations
       for this aspect of resolver configuration can be found in
       [I-D.andrews-full-service-resolvers].

   4.  Implement a private AS112 node within the site.  Guidance for
       constructing an AS112 node may be found in
       [I-D.ietf-dnsop-as112-ops].
Are you disagreeing with the text above, or suggesting a different emphasis, or something else? 


Joe



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Reply via email to