Re: clueing in TLD registries for delegations to non-BINDservers, Stefan Paletta stefanp@localhost

[Brad Knowles <]

At 6:42 PM +0100 2003/02/06, Stefan Paletta wrote:

>  I understand that nsd (as most non-BIND servers) returns SERVFAIL for
>  questions for which it it does have neither authoritative nor non-
>  authoritative data (i.e. it is lame) and that this behaviour is RFC-
>  conformant and certainly best-practice for authoritative-only servers.
	Best practice?  No, I would disagree most vehemently on that.  If 
nsd is doing this, then I believe it needs to be fixed.  Handing out 
a referral to the root zone is no more work than handing out SERVFAIL.

>  Some TLD registries, however, make unreasonable demands regarding the
>  behaviour of servers to which they delegate zones.
	Unreasonable?  No, I consider this to be best practice.

>  These demands are highly questionable -to say the least- and are hard
>  and sometimes impossible to follow for users of at least tinydns and
>  nsd.
	Hard for users of tinydns?  Just what is required?  Here's what 
the djbdns FAQ at <http://www.fefe.de/djbdns/> has to say:

		Tinydns does not answer at all when someone lamely delegates to it?

			Yes. You can add this line to your data file to simulate
			BIND behaviour:

				&::a.root-servers.net


	While I believe this to be b0rken behaviour, and I definitely 
ding djbdns for doing this by default, this is not what I would 
consider to be particularly onerous if you have jumped through all 
the other necessary hoops, incredibly poor documentation, and bizarre 
data file formats in order to get djbdns running.


	Now, for users of nsd, yes this is a serious problem.  They are 
not given any choice.  But then, nsd is not useful as a 
general-purpose authoritative nameserver -- it is designed as a 
root/TLD nameserver, and anyone who mis-uses or abuses it to try to 
serve as a general-purpose authoritative nameserver basically gets 
what they deserve.

>  I was wondering if RIPE or a group from the RIPE community might
>  appeal to those registries and try to make them stop acting stupid.
	I would appeal to the authors of nsd to fix this and to have nsd 
generate referrals by default.

--
Brad Knowles, <brad.knowles@localhost

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
    -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)