ns1,2,3,5.dns.net.nz hot being helpful

Tim Nicholas

27 Sep 2004 27 Sep '04

5:40 p.m.

Hi all, Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful information? That's 4 of 7 primary servers for all of .nz and seems to be affecting all of the second level domains. 22:35:04 tim(a)stella ~$ for i in 1 2 3 4 5 6 7; do host -t ns dnc.net.nz ns$i.dns.net.nz;echo; done dnc.net.nz NS record currently not present at ns1.dns.net.nz dnc.net.nz NS record currently not present at ns2.dns.net.nz dnc.net.nz NS record currently not present at ns3.dns.net.nz dnc.net.nz NS ns2.actrix.co.nz dnc.net.nz NS internetnz.net.nz dnc.net.nz NS ns1.actrix.co.nz dnc.net.nz NS record currently not present at ns5.dns.net.nz dnc.net.nz NS ns2.actrix.co.nz dnc.net.nz NS ns1.actrix.co.nz dnc.net.nz NS internetnz.net.nz dnc.net.nz NS internetnz.net.nz dnc.net.nz NS ns1.actrix.co.nz dnc.net.nz NS ns2.actrix.co.nz 22:37:40 tim(a)stella ~$ Cheers, Tim -- Tim Nicholas || Cilix Email: tim(a)nicholas.net.nz || Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204

Show replies by date

Joe Abley

27 Sep 27 Sep

10:46 p.m.

On 28 Sep 2004, at 06:40, Tim Nicholas wrote:

...

Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful information?

I have no answer, but I can see similar problems. Even though all nameservers are reporting the same SOA serial, the answers are different for the question "dnc.net.nz IN NS": [jabley(a)ganesh]% for n in 1 2 3 4 5 6 7; do for> echo -n "ns${n}: " for> dig @ns${n}.dns.net.nz net.nz SOA +short for> dig @ns${n}.dns.net.nz dnc.net.nz NS +norec +short for> done ns1: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800 3600 ns2: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800 3600 ns3: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800 3600 ns4: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800 3600 ns2.actrix.co.nz. internetnz.net.nz. ns1.actrix.co.nz. ns5: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800 3600 ns6: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800 3600 ns7: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800 3600 ns2.actrix.co.nz. internetnz.net.nz. ns1.actrix.co.nz. [jabley(a)ganesh]% I only get answers from ns4 and ns7. You got an answer from n6, but that's quite possibly a different ns6 from the one I was using (ns5 and ns6 are anycast by UltraDNS). I'd AXFR the zones from each server and diff them, but of course I can't. Shame that. (If the poor thinking that drove that policy was removed, we might actually be able to deploy DNSSEC in New Zealand, too). Joe

David Farrar

28 Sep 28 Sep

5:27 a.m.

Umm if the reply won't be off-topic, why do you think restricting access to the entire .nz zone file is a bad thing, and did you put in a submission on the recent policy review? There has been numerous examples of scammers using zone data combined with whois lookups to do mass spams and scams. Doing our bit to make this harder to do seems a good thing IMO. Yes DNSSEC is a good thing also. If I have to choose (and in fact have had to do just that) between DNSSEC and open slather on the zone file, then minimising the ability of scammers takes first priority. The last big scam using zone and whois data saw over NZ$500,000 sent to Australia. All the European ccTLDs (.uk and .de amongst others) are adamant that they also will not implement DNSSEC (as much as they would like to) uness there is a change in the protocol which won't allow people to access their zone files. I'm open for persuasion that the problems fixed by DNSSEC are a bigger threat than the scams made possible by zone access, but yet to see a convincing argument. And yes I know the zone itself doesn't give our registrants data, but it does give scammers a list of all valid entries, which makes it much much easier to get all the details through whois. DPF

...

-----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Wednesday, 29 September 2004 3:47 a.m. To: Tim Nicholas Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful

I'd AXFR the zones from each server and diff them, but of course I can't. Shame that. (If the poor thinking that drove that policy was removed, we might actually be able to deploy DNSSEC in New Zealand, too).

Joe

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Joe Abley

5:43 a.m.

On 28 Sep 2004, at 18:27, David Farrar wrote:

...

Umm if the reply won't be off-topic, why do you think restricting access to the entire .nz zone file is a bad thing,

Because being able to do a zone transfer is useful to debug things, and because a policy which prevents enumeration of the records in a zone will block deployment of a signed zone containing NSEC records. That's the end of the operational part of the reply, if you could call it that.

...

and did you put in a submission on the recent policy review?

Nope. I discovered long ago that the world is a much more pleasant place if I resist all temptation to involve myself in "policy" or "governance" issues, irony implied by punctuation intended. Besides, there are plenty of hard concrete walls here I can bang my head against, if I really feel the need; I don't need to go looking for others.

...

There has been numerous examples of scammers using zone data combined with whois lookups to do mass spams and scams. Doing our bit to make this harder to do seems a good thing IMO.

There have also been uncountable examples of scammers using all kinds of non-zone data combined with whois lookups to do those things. I have not seen any convincing argument that allowing the zone to be retrieved (by NSEC chain walking, AXFR, FTP, HTTP, or any other method) will make any difference to this. If they can get your address, they can get your address -- who cares how they get it?

...

I'm open for persuasion that the problems fixed by DNSSEC are a bigger threat than the scams made possible by zone access, but yet to see a convincing argument.

I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all. It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist. Joe

Drew Whittle

6:22 a.m.

...

On 28 Sep 2004, at 18:27, David Farrar wrote:

Umm if the reply won't be off-topic, why do you think restricting access to the entire .nz zone file is a bad thing,

Blocking the zone doesn't fix the problem, the problem is with whois not the .nz zone. My contact information is not in the zone, but it is in the whois info. Your doing a poor band aid fix, it's not worthy as a New Zealand No.8 wired fix, your "fixing" the wrong thing. The real problem is whois, not the zone data. Personally I couldn't care if people can't get my contact details out of whois, (Hmm do 90% of the population even know whois exists?) but I'm fairly sure some people would strongly oppose changing the returned info from whois so that domain scammers couldn't use it. Yeah I know put a submission in to the great and holy INZ for consideration, don't see the point in that - the powers that be might read it, but they will do what the want, not what is right. If an alcoholic keeps falling down when drunk, you don't tie him to a chair to stop him falling down.... :D

David Farrar

7:42 a.m.

...

-----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Wednesday, 29 September 2004 10:43 a.m. To: David Farrar Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful

On 28 Sep 2004, at 18:27, David Farrar wrote:

...
Umm if the reply won't be off-topic, why do you think restricting access to the entire .nz zone file is a bad thing,

Because being able to do a zone transfer is useful to debug things, and because a policy which prevents enumeration of the records in a zone will block deployment of a signed zone containing NSEC records.

One can apply for zone file access, it just isn't something one gets automatically.

...

I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all.

It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist.

Actually it is the other way around. Scammers have told us that they use zone files for their scams. This is not hypothethical - this has happened with the .nz zone before it was restricted. And those scammers actually went and defrauded .nz registrants out of hundreds of thousands of dollars by using the zone file to get the whois data (and yes there is significant rate limiting technology used on the whois, but there are also scammers who use thousands of zombie machines to not trigger the restrictions, even if it takes them a couple of months). The scammers have actually said that the zone file data is very useful to them, because otherwise they need to do dictionary attacks on the whois, and they are much much easier to guard against. I discussed the issue whether DNSSEC benefits outweighed the negatives of open zone files with the CEO of .uk. He made the very valid (IMO) point that the volume of complaints they have had about open zone files and whois leading to domain name scams is some thousand times greater than the number of complaints they have had (as in actual damage, not just a possibility) about something which DNSSEC would have fixed. My hope is that the specs for DNSSEC will either be modified to prevent zone files being accessible, or that an acceptable patch will be developed, so DNSSEC can be used on .nz. But if that doesn't happen, well the way I see it that protecting .nz registrants from spam and scams which have already costed .nz registrants hundreds of thousands of dollars (and which did use a zone file), is in the best interests of the Internet community. Anyway thanks for elaborating on your reasons. DPF

Juha Saarinen

7:48 a.m.

David Farrar wrote:

...

Scammers have told us that they use zone files for their scams. This is not hypothethical - this has happened with the .nz zone before it was restricted. And those scammers actually went and defrauded .nz registrants out of hundreds of thousands of dollars by using the zone file to get the whois data (and yes there is significant rate limiting technology used on the whois, but there are also scammers who use thousands of zombie machines to not trigger the restrictions, even if it takes them a couple of months). The scammers have actually said that the zone file data is very useful to them, because otherwise they need to do dictionary attacks on the whois, and they are much much easier to guard against.

Hang on, I'm confused now. Aren't you mixing up DNS zones and whois information there? You're talking about Chesley Rafferty targetting .nz domain name registrants by harvesting whois data, presumably? -- Juha

Juha Saarinen

7:52 a.m.

Juha Saarinen wrote:

...

David Farrar wrote:

...
Scammers have told us that they use zone files for their scams. This is not hypothethical - this has happened with the .nz zone before it was restricted. And those scammers actually went and defrauded .nz registrants out of hundreds of thousands of dollars by using the zone file to get the whois data (and yes there is significant rate limiting technology used on the whois, but there are also scammers who use thousands of zombie machines to not trigger the restrictions, even if it takes them a couple of months). The scammers have actually said that the zone file data is very useful to them, because otherwise they need to do dictionary attacks on the whois, and they are much much easier to guard against.

You mean the scammers compiled a list of .nz domains from zone transfers, and then used them for whois queries? -- Juha

David Farrar

8:32 a.m.

Yes - absolutely. In a zone like .com with 30 million entries, and most english words, the zone file is not that useful but in a zone of 160,000 it makes life a lot easier for scammers. DOF

...

-----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Wednesday, 29 September 2004 12:52 p.m. To: NZ NOG Cc: David Farrar Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful

Juha Saarinen wrote:

...
David Farrar wrote:

...
Scammers have told us that they use zone files for their scams. This is not hypothethical - this has happened with the .nz zone before it was restricted. And those scammers actually went and defrauded .nz registrants out of hundreds of thousands of dollars by using the zone file to get the whois data (and yes there is significant rate limiting technology used on the whois, but there are also scammers who use thousands of zombie machines to not trigger the restrictions, even if it takes them a couple of months). The scammers have actually said that the zone file data is very useful to them, because otherwise they need to do dictionary attacks on the whois, and they are much much easier to guard against.

You mean the scammers compiled a list of .nz domains from zone transfers, and then used them for whois queries?

-- Juha

jfp

8:02 a.m.

...

Hang on, I'm confused now. Aren't you mixing up DNS zones and whois information there?

You're talking about Chesley Rafferty targeting .nz domain name registrants by harvesting whois data, presumably?

I'm assuming we're talking about the root nz zone here. If you can do a zone transfer on the .nz domain, then you get a list of all the domains currently setup (basically a list of all nz domains) You can then walk through that and do a whois for each domain. Spam heaven... jfp. ------------------------------------------------------------------------ Jean-Francois Pirus Senior Software Engineer Phone (+64-9) 358 2081 Clearfield Software Ltd Fax (+64-9) 358 2083 4th Floor 8-10 Whitaker Place Mob (+64-21) 640 779 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------

bmanning＠vacation.karoshi.com

7:58 a.m.

New subject: so ... what is the real reason there is whois anyway?

On Wed, Sep 29, 2004 at 01:02:12PM +1200, jfp wrote:

...

...
Hang on, I'm confused now. Aren't you mixing up DNS zones and whois information there?

You're talking about Chesley Rafferty targeting .nz domain name registrants by harvesting whois data, presumably?

I'm assuming we're talking about the root nz zone here.

If you can do a zone transfer on the .nz domain, then you get a list of all the domains currently setup (basically a list of all nz domains) You can then walk through that and do a whois for each domain. Spam heaven...

jfp.

so... which is operationally more important, DNS or whois? which would you rather see turned off? --bill

Juha Saarinen

8:04 a.m.

New subject: so ... what is the real reason there is whois anyway?

bmanning(a)vacation.karoshi.com wrote:

...

so... which is operationally more important, DNS or whois?

which would you rather see turned off?

Turning off (or just anonymising) whois wouldn't break the Intarweb, but it would have seriously undesirable effects. -- Juha

bmanning＠vacation.karoshi.com

8:11 a.m.

New subject: so ... what is the real reason there is whois anyway?

On Wed, Sep 29, 2004 at 01:04:48PM +1200, Juha Saarinen wrote:

...

bmanning(a)vacation.karoshi.com wrote:

...
so... which is operationally more important, DNS or whois?

which would you rather see turned off?

Turning off (or just anonymising) whois wouldn't break the Intarweb, but it would have seriously undesirable effects.

Interweb? what side effects do you think accrue from the effect of turning off or anonymising whois? (both good and bad) what side effects do you think accure from the effect of turning off the DNS (both good and bad) ** i posit that it is not reasonable to consider "anonymising" the DNS.

...

-- Juha

Juha Saarinen

8:24 a.m.

New subject: so ... what is the real reason there is whois anyway?

bmanning(a)vacation.karoshi.com wrote:

...

Interweb?

Kiwi in-joke, sorry.

...

what side effects do you think accrue from the effect of turning off or anonymising whois? (both good and bad)

Good, it may make spammer harvesting of email address a bit harder, and perhaps also help prevent abuse like domain squatting/hijacking. Dubious that it would though, and it would create more hoops for legitimate registrants to jump through as well. Bad, it'd make the registrants anonymous. I bet if .nz were to anonymise whois, spammers would register all their throwaway domains here. If you don't give out any whois information at all, it'd be hard to keep details like nameserver records accurate.

...

what side effects do you think accure from the effect of turning off the DNS (both good and bad) ** i posit that it is not reasonable to consider "anonymising" the DNS.

Ah, no, never suggested that. I don't think either can be anonymised. -- Juha

Nicholas Lee

8:42 a.m.

New subject: so ... what is the real reason there is whois anyway?

On Wed, Sep 29, 2004 at 01:24:37PM +1200, Juha Saarinen wrote:

...

...
what side effects do you think accrue from the effect of turning off or anonymising whois? (both good and bad)

Good, it may make spammer harvesting of email address a bit harder, and perhaps also help prevent abuse like domain squatting/hijacking. Dubious that it would though, and it would create more hoops for legitimate registrants to jump through as well.

Bad, it'd make the registrants anonymous. I bet if .nz were to anonymise whois, spammers would register all their throwaway domains here. If you don't give out any whois information at all, it'd be hard to keep details like nameserver records accurate.

How about restricting access to whois information via a registration-required web interface, rate limit access dependant on GeoIP location, and make it difficult for scripts. Increase the cost of massive data mine, but still allow reasonable (*) access to information. For example the Companies Office in NZ, and I've had a few whois queries point to web interfaces instead. (*) I've use whois info to inform people of viruses main times. Nicholas

Russell Fulton

1:05 p.m.

New subject: so ... what is the real reason there is whois anyway?

On Wed, 2004-09-29 at 13:42, Nicholas Lee wrote:

...

How about restricting access to whois information via a registration-required web interface, rate limit access dependant on GeoIP location, and make it difficult for scripts.

I gave up sending abuse notices to owners of infected machines when several Asian registries started withholding information from whois servers and forcing me to use web interfaces. I see thousands of abused machines hitting our /16 every day. With an automated system I can notify the registered owners (assuming the data is accurate) of many of these system in the hope that they will clean up their machines and make the Internet a safer place for us all. But automated system relies on being able to get(at least halfway) structed data from whois. My take on this is that spammers and scammers will get the information anyway, why make it a little more difficult for them when the cost of doing so is breaking legitimate uses of the services. There is currently a very similar debate going on on the NZ ADSL list over the presence of email addresses in the archive and the fact that this is easy spam bait. My response to that argument is the same, taking the email addresses out of archives will not slow spammers down much but it will make the archives significantly less useful and lead to more traffic on the lists. Restricting access to zone files is a somewhat different issue, there are very few legitimate reasons for someone to pull a whole domain from a name server and almost all the time the administrator of the server know exactly who needs to do it so restricting access makes sense. -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand

Nicholas Lee

1:48 p.m.

New subject: so ... what is the real reason there is whois anyway?

On Wed, Sep 29, 2004 at 06:05:23PM +1200, Russell Fulton wrote:

...

There is currently a very similar debate going on on the NZ ADSL list over the presence of email addresses in the archive and the fact that this is easy spam bait. My response to that argument is the same, taking the email addresses out of archives will not slow spammers down much but it will make the archives significantly less useful and lead to more traffic on the lists.

Actually I thought about this a little. I think it does have some differences. Particular being able to cross-ref the zone file against the whois data allows a more physical and structured attack. Like setting up a seal team. Where as spam harvesting of email is more like a blind folded shotgun team. Of course if the spammers are collection profile information by tracking you with cookies then all bets are off. Finally with email spam its possible to filter at the carrier, ISP and user levels. With a targeted postal scam you can only filter at the user level. I agree though, that the information is out there. Some scammers already have the cross-referenced data. Its not a easy problem to solve. One argument might state that is a stupidity tax and that its up to the users to filter, likely mostly do with spam. Another argument is that people have a reasonable duty to make it harder to commit the scams. For example, we do lock our doors now after all. Possible some sort of system can be developed where trust people can access the the whois data in a scriptable way. Like banks. Then again its a global problem and our local views on trusted are hard to extend overseas to someone who we can visit in person. I think if its possible its worth trying to increase the entry cost to access of the information. In some cases this might increase the transactional cost of current users, but that's life. After all people complain about speed limits all the time. Its worth considering a similar set of data to the whois database which is online: the Companies office. That includes information about private addresses, specific company information, Nicholas

Juha Saarinen

2:01 p.m.

New subject: so ... what is the real reason there is whois anyway?

Nicholas Lee wrote:

...

I think if its possible its worth trying to increase the entry cost to access of the information. In some cases this might increase the transactional cost of current users, but that's life. After all people complain about speed limits all the time.

Why not just tell the .nz whois server to hand out the number to an SMS responder? That'd take care of the added-cost and prevent bulk harvesting, plus keep a record of who queries the whois. Everyone has mobiles, so it wouldn't require any investment in client-side technology. If you want to ratchet it up a notch, you could always have the whois server give out the phone number to a real live person at InternetNZ, for manual querying. I'm sure the telcos would love to run such a system. -- Juha

Jeremy Brooking

29 Sep 29 Sep

9:21 a.m.

New subject: so ... what is the real reason there is whois anyway?

Juha Saarinen wrote:

...

Why not just tell the .nz whois server to hand out the number to an SMS responder?

Because when I'm querying for an answer, id like to ensure I get the responce today.

Jamie Baddeley

28 Sep 28 Sep

2:48 p.m.

New subject: so ... what is the real reason there is whois anyway?

On Wed, 2004-09-29 at 18:48, Nicholas Lee wrote:

...

With a targeted postal scam you can only filter at the user level.

...

One argument might state that is a stupidity tax and that its up to the users to filter,

One thing I've been wondering is why we seem to be more prepared to constrain technical capability via policy, rather than distributing know information to ensure end user education (The Internet being a great vehicle for). I'm kind of surprised that promotion of technical capability is something that apparently (AFAICT) needs to fought for every step of the way. Colour me naive. Why are we insisting on plugging the cracks in a fundamentally leaky dam, rather than educating the population on what to do (or not do) when they see water? At very minimum it is a combination of the two. So far I have only seen evidence on this thread of one approach. The success rate of scams is inversely proportional to the level of awareness. What are the various bodies that are guardians of The Internet in NZ doing on the awareness front? jamie

Hamish MacEwan

3:23 p.m.

New subject: so ... what is the real reason there is whois anyway?

On Wed, 29 Sep 2004 19:48:41 +1200, Jamie Baddeley wrote:

...

One thing I've been wondering is why we seem to be more prepared to constrain technical capability via policy, rather than distributing know information to ensure end user education (The Internet being a great vehicle for). I'm kind of surprised that promotion of technical capability is something that apparently (AFAICT) needs to fought for every step of the way. Colour me naive.

Hear, hear. It is frequently better to wear slippers than attempt to carpet the world, according to the Australian philosopher, Bob Down. Hamish. -- http://del.icio.us/Hamish.MacEwan

David Farrar

8:56 a.m.

New subject: so ... what is the real reason there is whois anyway?

...

-----Original Message----- From: bmanning(a)vacation.karoshi.com [mailto:bmanning(a)vacation.karoshi.com] Sent: Wednesday, 29 September 2004 1:11 p.m. To: Juha Saarinen Cc: bmanning(a)vacation.karoshi.com; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] so ... what is the real reason there is whois anyway?

On Wed, Sep 29, 2004 at 01:04:48PM +1200, Juha Saarinen wrote:

...
bmanning(a)vacation.karoshi.com wrote:

...
so... which is operationally more important, DNS or whois?

which would you rather see turned off?

Turning off (or just anonymising) whois wouldn't break the Intarweb, but it would have seriously undesirable effects.

Interweb?

what side effects do you think accrue from the effect of turning off or anonymising whois? (both good and bad)

what side effects do you think accure from the effect of turning off the DNS (both good and bad) ** i posit that it is not reasonable to consider "anonymising" the DNS.

Just on that point, InternetNZ has just set up a working group (http://www.dnc.org.nz/story/30180-29-1.html) to review the whois policy. As far as I know the "great and holy powers that be" don't have any pre-ordained conclusions as to the outcome, so once they call for it, submission on desired changes will be most useful. The whois issue is pretty controversial as internationally free speech advocates, anti spam forces, law enforcement agencies, consumer and privacy groups, technical groups all have fairly strong and difficult to reconcile views on what data should be made available in response to whois queries. If one did not have address, fax and e-mail data listed in the whois, then there would be far less of a reason to restrict zone file transfers. But a lot of people find that whois data very useful for legitimate reasons. Thuis current policy is to list it all, but restrict bulk access to it, as best as possible. DPF

David Farrar

12:35 p.m.

New subject: whois policy [was so ... what is the real reason ...]

...

-----Original Message----- From: David Farrar [mailto:david(a)farrar.com] Sent: Wednesday, 29 September 2004 1:56 p.m. To: 'NZ NOG' Subject: RE: [nznog] so ... what is the real reason there is whois anyway?

...
what side effects do you think accure from the effect of turning off the DNS (both good and bad) ** i posit that it is not reasonable to consider "anonymising" the DNS.

Just on that point, InternetNZ has just set up a working group (http://www.dnc.org.nz/story/30180-29-1.html) to review the whois policy. As far as I know the "great and holy powers that be" don't have any pre-ordained conclusions as to the outcome, so once they call for it, submission on desired changes will be most useful.

Sorry to follow up my own post, but in a coincidence of great timing, the DNC Office has just a few minutes ago announced (at http://www.dnc.org.nz/story/30188-29-1.html) that feedback on the whois policy is now able to be made to the working group. A consultation paper is at http://dnc.org.nz/content/whois_paper_1.html and it covers what information should be displayed, what query options there should be, and security & system access issues. DPF

Robert Gray

29 Sep 29 Sep

2:57 p.m.

New subject: so ... what is the real reason there is whois anyway?

David Farrah wrote:

...

Just on that point, InternetNZ has just set up a working group (http://www.dnc.org.nz/story/30180-29-1.html) to review the whois policy. As far as I know the "great and holy powers that be" don't have any pre-ordained conclusions as to the outcome, so once they call for it, submission on desired changes will be most useful.

Sadly, this level of openness to other views was not something I found within InternetNZ. The actual position of the .nz name holder appears to be more accurately encapsulated in the subsequent post:

...

However the zone walking issue is not a trivial one, and has put a major spanner in the works. If a solution or workaround to it eventuates, then the original planned implementation can happen. In the short-term I think we just have to wait and see what eventuates.

Basically I read if you want DNSSEC, find another zone. This does seem a strange outcome when the community of interest (NZNOG) appear to want to see DNSSEC progress. (Yes I know the wider community have interests however I suspect that there is insufficient understanding of the issues for meaningful public debate to occur) I suggest that those who support the call for trial implementation of DNSSEC for .geek.nz and email InternetNZ (preferably off list), David may be able to suggest the right course of action Bob Gray

Keith Davidson

3:24 p.m.

New subject: so ... what is the real reason there is whois anyway?

Robert Gray wrote:

...

Basically I read if you want DNSSEC, find another zone.

Hmmm - which zones are offering DNSSEC currently?

...

This does seem a strange outcome when the community of interest (NZNOG) appear to want to see DNSSEC progress. (Yes I know the wider community have interests however I suspect that there is insufficient understanding of the issues for meaningful public debate to occur)

I suggest that those who support the call for trial implementation of DNSSEC for .geek.nz and email InternetNZ (preferably off list), David may be able to suggest the right course of action

InternetNZ has already agreed to implement DNSSEC. Waiting for the resolution of the issue of "walking the zone" appears prudent. Being the first ccTLD to implement DNSSEC in its current form, purely to satisfy a handful of NZNOGers, is hardly a responsible stewardship of the .nz namespace, imho. Keith Davidson

Juha Saarinen

3:27 p.m.

New subject: so ... what is the real reason there is whois anyway?

Keith Davidson wrote:

...

Hmmm - which zones are offering DNSSEC currently?

I believe .nl is one.

...

InternetNZ has already agreed to implement DNSSEC. Waiting for the resolution of the issue of "walking the zone" appears prudent. Being the first ccTLD to implement DNSSEC in its current form, purely to satisfy a handful of NZNOGers, is hardly a responsible stewardship of the .nz namespace, imho.

Would .nz be the first though? -- Juha

Robert Gray

30 Sep 30 Sep

2:29 a.m.

New subject: so ... what is the real reason there is whois anyway?

Keith Davidson wrote:

...

InternetNZ has already agreed to implement DNSSEC. Waiting for the resolution of the issue of "walking the zone" appears prudent.

The debate about "walking the zone" has centered on whether this is actually an issue, luminaries such as Joe Abley and Bill Manning have suggested that it is not. Others, well DPF, has suggested that it is.

...

Being the first ccTLD to implement DNSSEC in its current form, purely to satisfy a handful of NZNOGers, is hardly a responsible stewardship of the .nz namespace, imho.

I don't recall any one on this list advocating that .nz should be first, certainly I did not. Andy suggested that an implementation in .geek.nz would be a sensible trial to determine if the societies fears are be groundless or others. That the society wishes to ignore the views, however well informed, of a "handful of NZNOGers" speaks volumes about the need for industry membership of InternetNZ. Why pay money to be ignored when you can be ignored for free. -- Robert Gray bob(a)brockhurst.co.nz

David Farrar

6:19 a.m.

New subject: so ... what is the real reason there is whois anyway?

...

-----Original Message----- From: Robert Gray [mailto:bob(a)brockhurst.co.nz] Sent: Friday, 1 October 2004 7:30 a.m. To: Keith Davidson Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] so ... what is the real reason there is whois anyway?

Keith Davidson wrote:

...
InternetNZ has already agreed to implement DNSSEC. Waiting for the resolution of the issue of "walking the zone" appears prudent.

The debate about "walking the zone" has centered on whether this is actually an issue, luminaries such as Joe Abley and Bill Manning have suggested that it is not. Others, well DPF, has suggested that it is.

...
Being the first ccTLD to implement DNSSEC in its current form, purely to satisfy a handful of NZNOGers, is hardly a responsible stewardship of the .nz namespace, imho.

I don't recall any one on this list advocating that .nz should be first, certainly I did not. Andy suggested that an implementation in .geek.nz would be a sensible trial to determine if the societies fears are be groundless or others.

That the society wishes to ignore the views, however well informed, of a "handful of NZNOGers" speaks volumes about the need for industry membership of InternetNZ. Why pay money to be ignored when you can be ignored for free.

I've been trying to wind this thread down, but feel I have to respond to this. This is getting off-topic for which I apologise - I would suggest any future correspondence be by direct e-mail or transfer to another appropriate list. I resent any implication of a view being ignored. I say that as the person who spent many hours in trying to make sure that the desire of the geek.nz proponents for IPv6 and DNSSEC did not undermine geek.nz being approved, and that .nz did make progress on IPv6 and DNSSEC. Hence I have convened meetnmgs of interested parties, and got policy approved by InternetNZ. I have continued to take an active interest in both issues, and was very disappointed when the zone file issue meant that to proceed would have breached an already existing policy. And I am sure there would be outrage if INZ dumped an existing long standing policy, without consultation. There is a world of difference between a view being ignored, and a view not being agreed with. I've been at meetings of the InternetNZ Council where I think I was on the losing side of every vote. That's the nature of things. And the fact that myself and Keith and others actually front up here and debate issues, rather than the old days where decisions were never debated in public, is a good thing IMO. It would in fact be easier to just ignore what people say as Bob suggests, but I think that is a dumb way to operate. In fact several people have told me that I should not have responded to Joe's original e-mail saying he disagreed with the zone file policy, but it is because I wanted to know his views, I streted what has now become a long thread. As someone who is not a technical guru, I treat the views of people like Joe and Andy with a hell of a lot of respect. But that is different from saying I am going to agree with them automatically. And while they do a hell of a lot more than me on DNSSEC, I actually know a hell of a lot more than most people about how spammers and scammers do use zone file data for purposes which are highly undesirable. DPF

Joe Abley

28 Sep 28 Sep

7:57 a.m.

On 28 Sep 2004, at 20:42, David Farrar wrote:

...

...
I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all.

It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist.

Actually it is the other way around.

Scammers have told us that they use zone files for their scams.

How many scammers have told you that if it wasn't for zone files being available, they would have no other way to launch their scams?

...

[hysteria trimmed]

...

I discussed the issue whether DNSSEC benefits outweighed the negatives of open zone files with the CEO of .uk. He made the very valid (IMO) point that the volume of complaints they have had about open zone files and whois leading to domain name scams is some thousand times greater than the number of complaints they have had (as in actual damage, not just a possibility) about something which DNSSEC would have fixed.

This sounds like a suprious argument to me. How many complaints would you expect to receive from people who believe everything they read on the Internet? If someone decides to impersonate a stores web page and does a good job at it, how many users would ever suspect that was how their credit card details got stolen?

...

My hope is that the specs for DNSSEC will either be modified to prevent zone files being accessible, or that an acceptable patch will be developed, so DNSSEC can be used on .nz.

I don't see any signs that that will happen. I think what is more likely is that DNSSEC will continue to be deployed in other zones, and zones under NZ will remain insecure.

...

Anyway thanks for elaborating on your reasons.

Any time. Joe

David Farrar

8:40 a.m.

...

-----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Wednesday, 29 September 2004 12:57 p.m. To: David Farrar Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful

On 28 Sep 2004, at 20:42, David Farrar wrote:

...
...
I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all.

It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist.

Actually it is the other way around.

Scammers have told us that they use zone files for their scams.

How many scammers have told you that if it wasn't for zone files being available, they would have no other way to launch their scams?

I think the results speak for themselves. Since the zone file was restricted there have been far fewer scams using the .nz whois data as the old zone files out there get more and more stale. One can never stop scams. One can minimise them though.

...

...
My hope is that the specs for DNSSEC will either be modified to prevent zone files being accessible, or that an acceptable patch will be developed, so DNSSEC can be used on .nz.

I don't see any signs that that will happen. I think what is more likely is that DNSSEC will continue to be deployed in other zones, and zones under NZ will remain insecure.

ccTLDs discussed this issue at July ICANN. Don't take this as gospel, but I don't think a single medium or large ccTLD is going to implement DNSSEC unmodified. In fact the Europeans have said their privacy laws would give them grief if they do. They, like .nz, are keen to be able to implement DNSSEC and some of them are working on the patches I referred to. By the end of the year it may be clear what is happening. DPF

bmanning＠vacation.karoshi.com

9:01 a.m.

...

ccTLDs discussed this issue at July ICANN. Don't take this as gospel, but I don't think a single medium or large ccTLD is going to implement DNSSEC unmodified.

I know of three that have indicated a rapid adoption of DNSSEC is planned, once the IETF nails the specs. Rumour has it that the IESG has ok'ed them, code is available.... give the registries 3-9months to hammer out the backoffice issues and I posit visable DNSSEC signed zones mid-2005 then there are the other TLDs and the infrastructure stuff... Verisign has an active testbed for signed .NET entries and RIPE is certainly headed in the direction of signed reverse trees.

...

In fact the Europeans have said their privacy laws would give them grief if they do. They, like .nz, are keen to be able to implement DNSSEC and some of them are working on the patches I referred to. By the end of the year it may be clear what is happening.

Some europeans have said the EU privacy laws are not germaine to the DNS, since personal data is never exposed. Thats in the whois data. And it might be worthwhile to look at the recent APNIC policy of restricting public access to registration data. patches will have to go through the IETF and have code written... there will likely be a several year wait for such to be visable. meanwhile, the number of zones protected by DNSSEC will grow. --- he sez looking into his crystal ball... :)

...

DPF

--bill

David Farrar

9:35 a.m.

...

-----Original Message----- From: bmanning(a)vacation.karoshi.com [mailto:bmanning(a)vacation.karoshi.com] Sent: Wednesday, 29 September 2004 2:02 p.m. To: David Farrar Cc: 'NZ NOG' Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful

patches will have to go through the IETF and have code written... there will likely be a several year wait for such to be visable. meanwhile, the number of zones protected by DNSSEC will grow. --- he sez looking into his crystal ball... :)

I should point out that there is no barrier to signing the .nz zone itself as the contents of that zone are well known and public (only 14 records). The issue is with signing the 2LDs. It is possible that in a moderated 2LD such as govt.nz, the 2LD community and moderator might decide that they don't mind their zone file being accessible (as I suspect almost all govt.nz domains are easily found or listed anyway), and one could implement DNSSEC just on that 2LD. DPF

Perry Lorier

9:45 a.m.

David Farrar wrote:

...

I should point out that there is no barrier to signing the .nz zone itself as the contents of that zone are well known and public (only 14 records).

The issue is with signing the 2LDs.

It is possible that in a moderated 2LD such as govt.nz, the 2LD community and moderator might decide that they don't mind their zone file being accessible (as I suspect almost all govt.nz domains are easily found or listed anyway), and one could implement DNSSEC just on that 2LD.

Isn't this what geek.nz was originally for ?[1] [1]: http://troublemaking.geek.nz/doc/geek-implementation-02.html

Joe Abley

9:51 a.m.

On 28 Sep 2004, at 22:35, David Farrar wrote:

...

It is possible that in a moderated 2LD such as govt.nz, the 2LD community and moderator might decide that they don't mind their zone file being accessible (as I suspect almost all govt.nz domains are easily found or listed anyway), and one could implement DNSSEC just on that 2LD.

I suspect almost all co.nz, org.nz, gen.nz, etc zones are just as easy to find as the zones under govt.nz. I don't really understand why you've singled out govt.nz for special treatment in this thought experiment. However, it sounds very much like the .nz manager has already made up its mind on this regardless of the opinions of anybody here, so there doesn't seem to be much point in throwing any more logic at the policy. (And to all the people who sent me private mail saying "but what about geek.nz? That's going to be signed, because that's what it was created for." Yeah, that's what I thought too. Apparently not.) Joe

Andy Linton

10:28 a.m.

Joe Abley wrote:

...

(And to all the people who sent me private mail saying "but what about geek.nz? That's going to be signed, because that's what it was created for." Yeah, that's what I thought too. Apparently not.)

I'm pretty sure I recall discussions with the DNC about the setting up of 'geek.nz' where we asked about getting the zone signed and agreed to wait until the whole of .nz would be signed. The discussion went along the lines 'you want DNSSEC signing of the new 'geek.nz' zone? that's a good idea. why don't we do it for all of NZ' Now there appear to be doubts from the managers of the nz tld about signing the whole zone - I don't agree with them but if that's their stance, can we have signing of geek.nz back on the agenda please. This will do two things: 1) It will provide operational experience in doing the DNSSEC thing 2) It will provide a test bed to see if those in 'geek.nz' get scammed, spammmed, slammed, jammed, damned .... as a result.

Keith Davidson

10:49 a.m.

Why is it that IANA and the Root Server operators seem generally averse to using DNSSEC in its current form? Keith Davidson Andy Linton wrote:

...

I'm pretty sure I recall discussions with the DNC about the setting up of 'geek.nz' where we asked about getting the zone signed and agreed to wait until the whole of .nz would be signed. The discussion went along the lines 'you want DNSSEC signing of the new 'geek.nz' zone? that's a good idea. why don't we do it for all of NZ'

Now there appear to be doubts from the managers of the nz tld about signing the whole zone - I don't agree with them but if that's their stance, can we have signing of geek.nz back on the agenda please.

This will do two things:

1) It will provide operational experience in doing the DNSSEC thing 2) It will provide a test bed to see if those in 'geek.nz' get scammed, spammmed, slammed, jammed, damned .... as a result.

bmanning＠vacation.karoshi.com

11:02 a.m.

whatever gixes you that impression? On Wed, Sep 29, 2004 at 03:49:12PM +1200, Keith Davidson wrote:

...

Why is it that IANA and the Root Server operators seem generally averse to using DNSSEC in its current form?

Keith Davidson

Andy Linton wrote:

...
I'm pretty sure I recall discussions with the DNC about the setting up of 'geek.nz' where we asked about getting the zone signed and agreed to wait until the whole of .nz would be signed. The discussion went along the lines 'you want DNSSEC signing of the new 'geek.nz' zone? that's a good idea. why don't we do it for all of NZ'

Now there appear to be doubts from the managers of the nz tld about signing the whole zone - I don't agree with them but if that's their stance, can we have signing of geek.nz back on the agenda please.

This will do two things:

1) It will provide operational experience in doing the DNSSEC thing 2) It will provide a test bed to see if those in 'geek.nz' get scammed, spammmed, slammed, jammed, damned .... as a result.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Joe Abley

6:18 p.m.

On 28 Sep 2004, at 23:49, Keith Davidson wrote:

...

Why is it that IANA and the Root Server operators seem generally averse to using DNSSEC in its current form?

When I talked to John Crain and Doug Barton in Suva at the APNIC meeting, they told me that they expected the root zone to be signed according to the current DNSSEC spec within 9 months. They were speaking for themselves, and not for IANA in any formal sense (but since IANA pretty much is John Crain and Doug Barton, it's not clear that IANA's position would be different). I detected no aversion to DNSSEC in its current form at all. The root server operators have voiced no concerns, either. In fact, several of the root server operators have been very active in defining the current spec of DNSSEC. Joe

David Farrar

11:56 a.m.

...

-----Original Message----- From: Andy Linton [mailto:asjl(a)citylink.co.nz] Sent: Wednesday, 29 September 2004 3:28 p.m. To: 'NZ NOG' Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful

Joe Abley wrote:

...
(And to all the people who sent me private mail saying "but what about geek.nz? That's going to be signed, because that's what it was created for." Yeah, that's what I thought too. Apparently not.)

I'm pretty sure I recall discussions with the DNC about the setting up of 'geek.nz' where we asked about getting the zone signed and agreed to wait until the whole of .nz would be signed. The discussion went along the lines 'you want DNSSEC signing of the new 'geek.nz' zone? that's a good idea. why don't we do it for all of NZ'

Yep that was exactly that. In fact I facilitated the meeting to recommend this as policy, and got both INZ and NZRS to sign off on implementing DNSSEC. However the issue of DNSSEC allowing the zone file to be revealed only became apparent at a later stage. This meant that implementing DNSSEC would breach existing .nz policy. This has caused large number of ccTLDs to state they can not implement DNSSEC unless it is modified. To find out how best to resolve this issue, a technical staffer was sent to the last ICANN meeting to get the latest updates from .nl, Steve Crocker, other ccTLDs about what is probably and possible. The hope is that as DNSSEC specs had not been signed off, they could be modified to prevent the publication of the zone. As I said many ccTLDs said they would absolutely adopt DNSSEC if this issue could be addressed. The position of .nz is to wait and see the final shape of DNSSEC, and delay implementation until this is known.

...

Now there appear to be doubts from the managers of the nz tld about signing the whole zone - I don't agree with them but if that's their stance, can we have signing of geek.nz back on the agenda please.

The problem with this is that geek.nz is unmoderated and that is very different to a moderated domain. A moderator does effectively speak for their 2LD registrants. Who speaks for all 500 geek.nz registrants? Also there could be a significant resistance from registrars to support DNSSEC, if it only available on 0.3% of .nz domains. And unless there are Registrars willing to test and implement it, then the Registry can't do much. .nz agreed to implement DNSSEC and IPv6 glue to .nz, as requested by various people last year. It has introduced TSIG for the name servers, it will soon have Ipv6 glue working and it did agree to implement DNSSEC and had an implementation schedule drawn up for this. However the zone walking issue is not a trivial one, and has put a major spanner in the works. If a solution or workaround to it eventuates, then the original planned implementation can happen. In the short-term I think we just have to wait and see what eventuates. DPF

Joe Abley

6:52 p.m.

On 29 Sep 2004, at 00:56, David Farrar wrote:

...

However the issue of DNSSEC allowing the zone file to be revealed only became apparent at a later stage.

Incidentally, the by-product of NXT (now NSEC) which allows a zone to be enumerated has been widely publicised for a long time (for years). It is possible that you're suggesting that this is a new issue, or one that has only recently been identified by the DNSSEC architects. This is not true at all. The NXT-walking feature of DNSSEC was most definitely raised at the 2002 ICANN meeting in Shanghai, to which InternetNZ sent people. I helped teach a room full of ccTLD operators about DNSSEC immediately before that meeting (with Bill Manning) and we definitely talked through slides describing exactly how you could use NXT to extract the full contents of a zone. The geek.nz/DNSSEC implementation discussions didn't happen until the end of 2003. Claiming that the NXT/NSEC-walking issue was not apparent at the time that InternetNZ undertook to sign all second-level zones under NZ is just disingenuous. Joe

Don Stokes

4:52 a.m.

Tim Nicholas wrote:

...

Hi all,

Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful information?

That's because they don't have "useful information". They have delegations to name servers that do. Let's look at a NS4's actual response to your query: $ dig dnc.net.nz. NS @ns4.dns.net.nz ; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns4.dns.net.nz ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20937 ;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2 ;; QUERY SECTION: ;; dnc.net.nz, type = NS, class = IN ;; ANSWER SECTION: dnc.net.nz. 1D IN NS ns2.actrix.co.nz. dnc.net.nz. 1D IN NS internetnz.net.nz. dnc.net.nz. 1D IN NS ns1.actrix.co.nz. ;; ADDITIONAL SECTION: ns2.actrix.co.nz. 1D IN A 203.96.16.36 ns1.actrix.co.nz. 1D IN A 203.96.16.35 The NS records are placed in the answer section of the response, and 'host" considers these answers, although note that the 'aa' flag (authoritative answer) is not set. That's because delegation information is not considered authoritative; if you want an authoritative answer for the NS records of dns.net.nz, you should ask (according to this answer) one of ns2.actrix.co.nz, internetnz.net.nz or ns1.actrix.co.nz. This answer is "wrong". This answer should still be delegating responsibility for records in the dnc.net.nz domain to the name servers mentioned in the NS list; the NS records held by ns4.dns.net.nz are really just to help you find something that has the answer, and thus they should really be returned in the authority section, not the answer section, as happens when you look up something else in the delegated zone such as an address query: $ dig dnc.net.nz. A @ns4.dns.net.nz ; <<>> DiG 8.3 <<>> dnc.net.nz. A @ns4.dns.net.nz ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4940 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2 ;; QUERY SECTION: ;; dnc.net.nz, type = A, class = IN ;; AUTHORITY SECTION: dnc.net.nz. 1D IN NS ns1.actrix.co.nz. dnc.net.nz. 1D IN NS ns2.actrix.co.nz. dnc.net.nz. 1D IN NS internetnz.net.nz. ;; ADDITIONAL SECTION: ns1.actrix.co.nz. 1D IN A 203.96.16.35 ns2.actrix.co.nz. 1D IN A 203.96.16.36 NS4 and NS7 run BIND 8, whose logic basically goes, "do I have anything, anywhere that matches the query? If yes, put the records in the answer section, otherwise, put any available authority data in the authority section." This is different from BIND 9's (more correct) logic, which goes, "is this domain delegated? If so, just put authority data in the authority section, and never return data in the answer section." Thus you get the same format answers for an NS query as for an A query; the NS records are in the authority section, not the answer section. For example: $ dig dnc.net.nz. NS @ns1.dns.net.nz ; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns1.dns.net.nz ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3432 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 ;; QUERY SECTION: ;; dnc.net.nz, type = NS, class = IN ;; AUTHORITY SECTION: dnc.net.nz. 1D IN NS ns1.actrix.co.nz. dnc.net.nz. 1D IN NS ns2.actrix.co.nz. dnc.net.nz. 1D IN NS internetnz.net.nz. NS1, NS2 & NS3 all run BIND 9. NS5 & NS6 are operated by UltraDNS, which uses their own software but has the same behaviour regarding delegated responses. Also, note that in the BIND 9 (and UltraDNS) responses, there are no additional "glue" address records, because none of the delegated name servers are within the "dnc.net.nz" domain, and therefore don't actually need glue. (There's a bunch of reasons why putting in glue where it's not needed is not a good idea, mostly relating to stale glue data. BIND 8 is rather generous with additional glue.) Basically, the BIND 8 servers give "answers" to NS records queries when they don't actually have "answers" to give. All the rest give delegation responses, just as when faced with a non-NS record (which is the usual case). It's all working fine. You'll see the same behaviour in other name servers. Hope this helps. -- don

...

That's 4 of 7 primary servers for all of .nz and seems to be affecting all of the second level domains.

22:35:04 tim(a)stella ~$ for i in 1 2 3 4 5 6 7; do host -t ns dnc.net.nz ns$i.dns.net.nz;echo; done dnc.net.nz NS record currently not present at ns1.dns.net.nz

dnc.net.nz NS record currently not present at ns2.dns.net.nz

dnc.net.nz NS record currently not present at ns3.dns.net.nz

dnc.net.nz NS ns2.actrix.co.nz dnc.net.nz NS internetnz.net.nz dnc.net.nz NS ns1.actrix.co.nz

dnc.net.nz NS record currently not present at ns5.dns.net.nz

dnc.net.nz NS ns2.actrix.co.nz dnc.net.nz NS ns1.actrix.co.nz dnc.net.nz NS internetnz.net.nz

dnc.net.nz NS internetnz.net.nz dnc.net.nz NS ns1.actrix.co.nz dnc.net.nz NS ns2.actrix.co.nz

22:37:40 tim(a)stella ~$

Cheers, Tim

Joe Abley

5:25 a.m.

On 28 Sep 2004, at 17:52, Don Stokes wrote:

...

Tim Nicholas wrote:

...
Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful information?

That's because they don't have "useful information". They have delegations to name servers that do.

[...]

Basically, the BIND 8 servers give "answers" to NS records queries when they don't actually have "answers" to give. All the rest give delegation responses, just as when faced with a non-NS record (which is the usual case). It's all working fine. You'll see the same behaviour in other name servers.

Oh, would you look at that. I should probably stick to configuring routers. Joe

Andy Linton

5:26 a.m.

Thanks to Don for the explanation of what's going on here. Given the comment that Bind 9 and UltraDNS display "more correct" logic in the way they provide the answers, are there plans to upgrade the Bind 8 servers to one of these packages?

7388

Age (days ago)

7391

Last active (days ago)

List overview

Download

42 comments

17 participants

participants (17)

Andy Linton
bmanning＠vacation.karoshi.com
David Farrar
Don Stokes
Drew Whittle
Hamish MacEwan
Jamie Baddeley
Jeremy Brooking
jfp
Joe Abley
Juha Saarinen
Keith Davidson
Nicholas Lee
Perry Lorier
Robert Gray
Russell Fulton
Tim Nicholas