Title: Implementation of ARIN's Lame DNS Delegation Policy
1Implementation of ARIN's Lame DNS Delegation
Policy
- Edward Lewis
- Research Engineer
- ARIN
- edlewis_at_arin.net
2Abstract
- The membership of ARIN has approved a policy to
curb lame delegations - The staff is implementing it and has already seen
a reduction - This presentation will outline the policy,
results, and how ARIN is interacting with
registrants and registries
3Background
- MAR 2002 Proposed on ARIN ppml (list)
- APR 2002 Discussion at ARIN IX
- JUN 2002 Measured extent of problem
- SUM 2002 Discussion on email lists
- OCT 2002 Discussion at ARIN X
- NOV 2002 Policy adopted
- DEC 2002 Implementation activity begins
4Policy Summary
5Policy Summary
Four Phases
6Policy Summary
7Policy Summary
Identify Lame Delegation
8Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
9Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
10Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
If No Contact Proceed to Next Step
11Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
12Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
If No Contact Proceed to Next Step
13Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
14Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
If No Contact Proceed to Next Step
15Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
Postal Mail the network or ASN POC
16Policy Summary
- Four Phases
- Test
- Attempt Contact
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
Postal Mail the network or ASN POC
If No Contact Proceed to Next Step
17Policy Summary
- Four Phases
- Test
- Attempt Contact
- Evaluate
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
Postal Mail the network or ASN POC
18Policy Summary
- Four Phases
- Test
- Attempt Contact
- Evaluate
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
Postal Mail the network or ASN POC
Wait 30 Days
19Policy Summary
- Four Phases
- Test
- Attempt Contact
- Evaluate
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
Postal Mail the network or ASN POC
Wait 30 Days
Delegation Declared Lame
20Policy Summary
- Four Phases
- Test
- Attempt Contact
- Evaluate
- Remove Delegation
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
Postal Mail the network or ASN POC
Wait 30 Days
Delegation Declared Lame
21Policy Summary
- Four Phases
- Test
- Attempt Contact
- Evaluate
- Remove Delegation
Identify Lame Delegation
E-mail the network POC
E-mail the ASN POC
Telephone the network or ASN POC
Postal Mail the network or ASN POC
- Remove NS Delegations
- Update WHOIS Record
- Delegation Determined to be Lame
- Evaluation Date of the Lame Delegation
- Contact has been Attempted Unsuccessfully
- Date Record Updated
Wait 30 Days
Delegation Declared Lame
Update Record
22Lame Delegation Test
- Query for SOA record of zone
- Try all IP addresses for each server of zone
- In response, flag as lame if
- No Authoritative Answer (AA) bit set
- AA bit set, but an empty answer section
- AA bit set, but answer is not an SOA record
23What is Not Flagged
- Not flagged as lame in this round of testing
- No IP address for name server
- No answer from server
- This will be flagged in the future
24Timeline
- Notify Autonomous System POC
25Zone Results
bounce!
26Server Results
- 13 Feb findings, percentage of servers
- 77 not flagged as lame
- (good OR no address/answer)
- 19 Authoritative Answer bit set to 0
- 4 with empty answer section
- lt1 with a non-SOA answer (CNAME)
27Notification Results
- 3rd Notice - approx. 150 calls in first few days
28Help Desk Actions
- Determine the problem/exact question
- Use Lame tool, BINDs dig tool
- Review results with registrant
- Explain expected results
- Walk through steps to correct ARIN DB entry
- Refer registrant for further assistance
- Their local support
- Vendor of their name server
- BIND documentation (if using a BIND server)
29Observations
- People are interested
- Want to correct problem
- Want to know what this is about
- Based on feedback from community
- http//www.arin.net/registration/lame_delegations/
index.html - This will be a deliberate process
30Next Steps
- Continue notification as per policy
- Update database information
- Continue testing for lameness
- Identify engineering issues with testing
- Identify implementation issues
- Share experiences with other registries
31Email Addresses
- Discussions of lame delegations are happening in
other regions too - APNIC SIG on DNS issues
- ltsig-dns.lists.apnic.netgt
- RIPE DNS Working Group
- ltdns-wg.ripe.netgt
- Tool-specific mailing lists
- My address edlewis_at_arin.net
32Thank You