Re: [sig-dns]progressing the APNIC Lame DNS sweep proposal

[George Michaelson <ggm@apnic.net>]

I would like to re-present my proposal here shortly, as four parts. The goal
would be to converge on a proposal for re-presentation at the next APNIC meeting
in Seoul. 

I think I should break the proposal into four substantive parts.

Firstly, a definition of lameness, which identifies criteria under which APNIC
specifically (but hopefully any registry with duty of care over a sub-tree of
the DNS) can apply tests, and for stated tests, if persistently failing, de-list
the domain. I think this is what interests most of the other registries in this
process, and is work which would lead into dnsops WG in IETF.

Secondly, a process for APNIC staff to escalate reports on these tests, which
include specific time periods, to lead to a deadline for de-listing. This
process is very likely to reflect ARIN processes. This part of the proposal is
likely to be more APNIC specific than the first part. The process for
communication and escalation is separated from the definition of lameness tests
to permit process-centric changes to be made independently.

Thirdly, a definition of the time periods. This is separated, so that if the
time periods are too draconian, they can be changed independently. They are
likely to reflect the ARIN process times.

Lastly, the table of lameness definitions, identifying which criteria are to be
acted on in de-listing. I expect us to be able to define some tests of lameness
which include measures we are confident are 'lame' but are not serious enough,
or reliable/deterministic, to act on. The APNIC sweep is going to need to use
only the criteria which are more deterministic.


I hope that each part can be explored separately, so we can continue the policy
process in parallel with any emerging lame definition exercise.

Because I'm in transit shortly, I can't post these parts here until early next
week. But in the meantime, I think the questions about lameness definitions
being raised here are really good.

The tests might be "if more than 50% lame in time period <x>" 
or "if more than 30% of the listed NS are unavailable for time <y>"

so there is scope in this model for having a test which is deterministic but
testing indeterminate, or non-persistent behaviour.

Personally, I think fully lame (all NS unreachable) is the way to go. But,
others have made a very compelling case for taking another tack. I know many of
you don't trust a single-point measure of unreachable-ness, but if APNIC is not
able to reach the NS at time of registration, the domain entry is refused
anyway. Therefore, in the current domain creation process, reachability to APNIC
is a pre-requirement in the current operating processes.

Also, if listed NS are consistently unreachable for 60 days, as proposed, I
think this goes beyond a transitional routing instability.

Lastly, I believe that knocking off the unreachables is a sweet-spot in terms of
BOTH improving end-user behavior (faster NXDOMAIN resolution leads to faster
end-to-end DNS process convergence for a given client Internet exchange) and
improvements for the roots, and near-roots taking bogus DNS requests.

Some people were discussing aspects of Lameness on a cc-list before the sig-dns
wakeup call. I think it would be very interesting for sig-dns participants if
some of that was re-visited here.

cheers
	-George


On Tue, 29 Apr 2003 10:24:25 -0400 Joe Abley <jabley@isc.org> wrote:

> Hi Ed!
> 
> On Tuesday, Apr 29, 2003, at 09:25 Canada/Eastern, Edward Lewis wrote:
> 
> > First question I use: is the effort to reduce lameness targetting to 
> > reduce the load on the infrastructure servers (root, TLDs, etc.) or to 
> > make the overall DNS function better?
> 
> The goals in George's document are to reduce the load on the root 
> nameservers, and on other nameservers near the root in the delegation 
> path for in-addr.arpa and ip6.arpa, and also to improve performance for 
> resolvers looking things up under those domains.
> 
> He suggests that both these goals can be accommodated by removing the 
> delegation in cases where delegated nameservers are unreachable, 
> thereby returning a fast NXDOMAIN to a resolver rather than waiting for 
> a slow timeout from an unreachable nameserver; negative response 
> caching should reduce the query load on the roots.
> 
> This is based on a single "lameness" criterion of "delegated nameserver 
> is unreachable".
> 
> Your phrase "make the overall DNS function better" sounds like George's 
> goal, but it also has connotations of "make the overall DNS more 
> accurate". If accuracy is our goal, then we might reasonably extend 
> George's "lameness" criterion to include nameservers which return 
> inappropriate information (e.g. they send NXDOMAIN in response to an 
> SOA query for a zone they should report authoritatively for).
> 
> > By 'a delegation' do you mean that which is represented by the NS RR 
> > set for a child zone registered at the parent?  (As opposed to being 
> > an individual NS RR, an address off an NS RR, or even the 
> > authoritative set of servers at the child.)
> 
> Yes.
> 
> >> Opinions from the list on these two questions would be very good to 
> >> hear.
> >
> > Remember, Joe, "vengeful." ;)
> 
> I am quaking with fear :-)
> 
> 
> Joe
> 
> *              sig-dns:  APNIC SIG on reverse DNS issues           *
> 
> _______________________________________________
> sig-dns mailing list
> sig-dns@lists.apnic.net
> http://mailman.apnic.net/mailman/listinfo/sig-dns


-- 
George Michaelson       |  APNIC
Email: ggm@apnic.net    |  PO Box 2131 Milton QLD 4064
Phone: +61 7 3367 0490  |  Australia
  Fax: +61 7 3367 0482  |  http://www.apnic.net