Re: [registry-discuss] Zone transfers from .nz name servers
2Day Chief Enthusiast wrote:
I haven't yet got the draft minutes but my recollection of the ISOCNZ Council meeting on Friday is that the consensus was to do exactly that - for reasons of both privacy act considerations and anti-spamming.
Yet another example of ISOCNZ making decisions without consulting industry. Extremely bad form.
I'd say that ISOCNZ did consult industry and are in the process of doing so. Some weeks ago the ISOCNZ technical committee, John Vorstermans, Mark Davies and Roger De Salis talked to Joe Abley and myself. If they didn't talk with Peter that doesn't mean they didn't talk with industry. I have since been seconded onto ISOCNZ council to fill the vacancy left by Peter Mott's resignation and am now on that committee. The tech committee have the task of looking at closing of the zone transfer holes. This is not cast in stone and could be changed if valid reasons can be produced. I'd also note some data points: 1) The root nameservers have had open transfers turned off. 2) The Domainz RFI for the management of the DNS indicates that in the near future the primary and secondary servers will be operated by Domainz. The organisations that host the secondary servers will not have administrative control over them so Joe's recent example where Clear and Xtra currently have access to the zone file data will not hold in the future. 3) Mark Davies' web pages which list the NZ domain names will disappear in their current form. I'd like people to put their cards on the table and say why they want access to the complete zone files. That would help us understand if there are valid reasons for leaving the transfers open. I also believe this discussion belongs on the NZNOG list. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, May 26, 1999 at 11:26:36PM +0000, Andy Linton wrote:
2) The Domainz RFI for the management of the DNS indicates that in the near future the primary and secondary servers will be operated by Domainz. The organisations that host the secondary servers will not have administrative control over them so Joe's recent example where Clear and Xtra currently have access to the zone file data will not hold in the future.
Hmm. If we cast our minds back a while, we should remember that the reason CLEAR Net are running nameservers was that at the time all domestic authoritative nameservers were advertised globally by Telecom only. A prolonged network problem at Telecom (well, Netway at the time, I think) resulted in the overseas authoritative servers being unable to refresh their copies of the zones, and the entire nz TLD effectively disappeared for a day. This had an impact on CLEAR customers, despite the fact that CLEAR had experienced no network problems. I would suggest there is _strong_ operational motivation to colocate authoritative servers with different providers who have different international connectivity. The current domestic authoritative nameservers obtain global connectivity as follows: dns1.clear.net.nz via CLIX (by way of Concentric/C&W) dns2.clear.net.nz via CLIX (by way of Concentric/C&W) gorgon.xtra.co.nz via NetGate (by way of BBN/SprintLink) rata.vuw.ac.nz via NetLink (by way of Telstra NZ, by way of Telstra, by way of MCI/AT&T) ns99.waikato.ac.nz via NetGate (by way of BBN/SpringLink) This shows some reasonable diversity. It would be a step backwards if this diversity was significantly reduced. Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Domainz. The organisations that host the secondary servers will not have administrative control over them so Joe's recent example where Clear and Xtra currently have access to the zone file data will not hold in the future.
Hmm.
If we cast our minds back a while, we should remember that the reason CLEAR Net are running nameservers was that at the time all domestic authoritative nameservers were advertised globally by Telecom only.
I am sure DOMAINZ will seek to co-locate these boxes at strategic points on the net. Its just that they will own and control it. I have no problem with anything they do with the name servers. As long as I can get the equiv of a zone transfer from somewhere anytime of the day or night using a freely available Internet protocol. I am not prepared to say what I am doing with it other than to say its not unlawful. p.s And I dont mean OLD data. I mean live up to date stuff :-) regards Peter Mott Chief Enthusiast 2Day Internet Limited http://www.2day.net.nz -/- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
2Day Chief Enthusiast wrote:
I am sure DOMAINZ will seek to co-locate these boxes at strategic points on the net. Its just that they will own and control it. I have no problem with anything they do with the name servers. As long as I can get the equiv of a zone transfer from somewhere anytime of the day or night using a freely available Internet protocol.
I am not prepared to say what I am doing with it other than to say its not unlawful.
It may well be lawful, Q) why exactly is it *necessary* ? A) You're not prepared to say.... yet you expect your request to be considered... Cheers, Sid -- Sid Jones Loquacious, dissemblers, immoral liars, stunted, sjones(a)netlink.co.nz bigoted, dark, ugly, pugnacious little trolls. 0800 655 465 -British Food Critic AA Gill on the Welsh --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Joe Abley wrote:
On Wed, May 26, 1999 at 11:26:36PM +0000, Andy Linton wrote:
2) The Domainz RFI for the management of the DNS indicates that in the near future the primary and secondary servers will be operated by Domainz. The organisations that host the secondary servers will not have administrative control over them so Joe's recent example where Clear and Xtra currently have access to the zone file data will not hold in the future.
Hmm.
If we cast our minds back a while, we should remember that the reason CLEAR Net are running nameservers was that at the time all domestic authoritative nameservers were advertised globally by Telecom only.
A prolonged network problem at Telecom (well, Netway at the time, I think) resulted in the overseas authoritative servers being unable to refresh their copies of the zones, and the entire nz TLD effectively disappeared for a day. This had an impact on CLEAR customers, despite the fact that CLEAR had experienced no network problems.
I would suggest there is _strong_ operational motivation to colocate authoritative servers with different providers who have different international connectivity.
The current domestic authoritative nameservers obtain global connectivity as follows:
dns1.clear.net.nz via CLIX (by way of Concentric/C&W) dns2.clear.net.nz via CLIX (by way of Concentric/C&W) gorgon.xtra.co.nz via NetGate (by way of BBN/SprintLink) rata.vuw.ac.nz via NetLink (by way of Telstra NZ, by way of Telstra, by way of MCI/AT&T) ns99.waikato.ac.nz via NetGate (by way of BBN/SpringLink)
This shows some reasonable diversity. It would be a step backwards if this diversity was significantly reduced.
And I'm not for one moment suggesting that this should or will change. What I am suggestiing is that it's likely we'll see something like: ns1.domainz.net.nz via CLIX (by way of Concentric/C&W) ns2.domainz.net.nz via CLIX (by way of Concentric/C&W) ns3.domainz.net.nz via NetGate (by way of BBN/SprintLink) ns4.domainz.net.nz via NetLink (by way of Telstra NZ, by way of Telstra, by way of MCI/AT&T) ns5.domainz.net.nz via NetGate (by way of BBN/SpringLink) These names and locations are for example only. The connections points will need discussion and agreement from the major providers. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
I'd like people to put their cards on the table and say why they want access to the complete zone files. That would help us understand if there are valid reasons for leaving the transfers open.
I have set up our central campus name servers to mirror the NZ top- and second- level zones. That is, they are stealth name servers for .nz, .co.nz, .ac.nz and so on. The easiest way to do this is via normal DNS zone transfers. Zone transfers from our core name servers are restricted to addresses on campus plus a few others. If the zone transfers were restricted, I would ask that our primary name servers be allowed access to continue the mirroring. The reasons for setting this up are largely historic: 1. Faster access to lookups for some .nz names. Lookups do not have to go across a WAN link. 2. If our WAN connection was ever broken, local lookups that used a search list would break or slow to a crawl as well. 3. Resolving names using a search list would cause queries to go out via the WAN to the NZ name servers. Having the campus name servers set up as authorative for zones that are searched stopped these queries leaving the campus. BIND with negative caching which has cut down those queries considerably. Taking it from several hundred bogus queries per second going off campus, to one bogus query every five minutes. We still have Windows lots of machines that go looking for 'MYWORKGROUP.auckland.ac.nz' then 'MYWORKGROUP.ac.nz' (then 'MYWORKGROUP.nz' and finally "MYWORKGROUP" if they are really badly configured.) I turned on query logging for a few minutes yesterday and puked. While we can get the machines configured to turn this crap off, it is an uphill battle. 4. Related to (3) when we were charged by the byte for Internet traffic this saved money. Or appeared to. I do not believe the stealth servers have caused any problems over the past 4 years. And believe we are still winning because of it. This is not advocating that everyone mirrors the .nz domains. If we were starting from scratch, I would not do it this way. Russell --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
ICONZ have been performing mirroring of the *.co.nz and others for some time
now also.
The most effective way for us to do this is via normal DNS zone transfers.
It takes significant load off our WAN links, and reduces load on the
countrys associated secondary DNS Servers. Our caching servers are
restricted to querys only from within our network, we run a separate cluster
of servers for zones which we are authoritive for, these servers do not
cache and do not perform zone transfers of the nz TLD.
It also presents us with the ability to service our clients DNS requests
with the same speed and efficiency that Clear, Xtra and Netlink benifit
from.
This, as with the case of Auckland University, appears to be reasonable use
of Zone transfers from ns99.
-Rowan
----- Original Message -----
From: Russell Street
I'd like people to put their cards on the table and say why they want access to the complete zone files. That would help us understand if there are valid reasons for leaving the transfers open.
I have set up our central campus name servers to mirror the NZ top- and second- level zones. That is, they are stealth name servers for .nz, .co.nz, .ac.nz and so on. The easiest way to do this is via normal DNS zone transfers.
Zone transfers from our core name servers are restricted to addresses on campus plus a few others.
If the zone transfers were restricted, I would ask that our primary name servers be allowed access to continue the mirroring.
The reasons for setting this up are largely historic:
1. Faster access to lookups for some .nz names. Lookups do not have to go across a WAN link.
2. If our WAN connection was ever broken, local lookups that used a search list would break or slow to a crawl as well.
3. Resolving names using a search list would cause queries to go out via the WAN to the NZ name servers. Having the campus name servers set up as authorative for zones that are searched stopped these queries leaving the campus.
BIND with negative caching which has cut down those queries considerably. Taking it from several hundred bogus queries per second going off campus, to one bogus query every five minutes.
We still have Windows lots of machines that go looking for 'MYWORKGROUP.auckland.ac.nz' then 'MYWORKGROUP.ac.nz' (then 'MYWORKGROUP.nz' and finally "MYWORKGROUP" if they are really badly configured.) I turned on query logging for a few minutes yesterday and puked.
While we can get the machines configured to turn this crap off, it is an uphill battle.
4. Related to (3) when we were charged by the byte for Internet traffic this saved money. Or appeared to.
I do not believe the stealth servers have caused any problems over the past 4 years. And believe we are still winning because of it.
This is not advocating that everyone mirrors the .nz domains. If we were starting from scratch, I would not do it this way.
Russell --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (6)
-
2Day Chief Enthusiast -
Andy Linton -
Joe Abley -
Rowan Smith -
Russell Street -
Sid Jones