Re: QWEST.NET can you fix your nameservers

[Mark Andrews <marka () isc org>]

In message <CAP-guGWoytsYy=2taiQxcTB3doYS+T+A1nqfi0_asjXfip3c=w () mail gmail com>
, William Herrin writes:
> On Thu, Sep 15, 2016 at 12:22 PM, Aaron C. de Bruyn <aaron () heyaaron com> wrot
> e:
> > On Thu, Sep 15, 2016 at 12:31 AM, Mark Andrews <marka () isc org> wrote:
> > > QWEST isn't the only DNS provider that has broken nameservers.  One
> > > shouldn't have to try and contact every DNS operator to get them to
> > > use protocol compliant servers.
> >
> > Save yourself some time.  Contact the DNS software vendors. ;)
>
> I'd bet he already has. This looks like a name-and-shame to me, and
> probably deserved.
>
> -Bill

Aaron,
       How am I supposed to know which DNS vendor to contact?  DNS
server fingerprinting is not a exact science.  After that I then
still need to work out how to contact every operator of a broken
server and get them to contact the DNS vendor to get a fix.  And
by the way the SOA RNAME is often a blackhole or it bounces or it
is syntactically invalid.

The best way to get this fixed would be for nameservers to be checked
for protocol compliance, by the parent zone operators or their
proxies regularly.  That the child zone operator be given a short
(< 3 months) to fix it then all zones with that server get removed
from the parent zone until the server is fixed (apply the final
step in the complaints proceedures from RFC 1033) which forces the
owner of the zone to fix the server or to move to someone who follows
the protocol.  The servers for new delegations be checked immediately
and the delegation not proceed unless the delegated servers are
protocol compliant.

Everybody seems to think they know how to write a DNS server.  The
problem is that most people don't test anything other than simple
queries and that includes many of the DNS vendors.  Think about all
the load balancer vendors that don't handle anything but a A query
or only handle A and AAAA queries don't handle DNSKEY queries.
There really is no excuse to not handle non-meta qtypes properly
(no error not data or name error depending upon whether the name
exists or not).

My bet is the DNS vendor has issued a update already and that it
hasn't been applied.  If not Qwest can inform them that their product
is broken.  Fixing this should be about 10 minutes for the DNS
vendor then QA.

If you (collectively) haven't already checked your servers go to
https://ednscomp.isc.org and check your servers.  While you are
there look at some of the reports.

If there are any tech reporters out there can you report on the
issue of non compliance in DNS servers and that it can lead to
lookups failing.  This issue affects everybody.

Mark

> -- 
> William Herrin ................ herrin () dirtside com  bill () herrin us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org