Re: [ncc-services-wg] Reverse DNS Restructuring Project
- Date: Wed, 8 Oct 2003 16:41:49 +0200 (CEST)
On Wed, 8 Oct 2003, Olaf M. Kolkman wrote:
> I agree "Clarity good, Confusion bad". I have not yet had the change
> to study all implications of getting rid of the "rev-srv:". But we'll
> look at this and get back on this issue; probably in the clean-up proposal
> that is to follow or in a separate proposal.
In the context of the above I have some additional data that we have
extracted from the database.
As the wider audience may be aware, the 'rev-srv' attribute in the inetnum
(and inet6num) objects is the rather early predecessor of using the
'domain' object and its 'nserver' attributes to represent a reverse
delegation.
The 'rev-srv' attribute, while it has never been depreciated and is not
used as a source for authoritative DNS data, is still able to be used as
an informational attribute. For purposes of this discussion, I've
compared the contents of the inetnum 'rev-srv' attribute with the domain
'nserver' attribute.
For the comparison I also introduce the concept of 'derived delegation'. A
'derived delegation' is essentially working out which 'in-addr.arpa'
delegation would best match the inetnum. Effectively, a /15 inetnum
becomes two /16-level 'derived delegations', and a /17 inetnum becomes 128
/24-level 'derived delegations'.
First the data for reverse delegation information in inetnum objects.
Total number of inetnum objects: 879691
Total number of inetnum objects with rev-srv: 54921 (6%)
Total number of derived delegations: 27804 (3%)
The fact that the number of derived delegations is smaller than the number
of objects with rev-srv attributes is accounted for by inetnums which
either cover very large ranges (/8 and greater) or smaller ranges (/25 and
lesser) which we do not delegate directly.
Secondly, the data for reverse delegation information in domain objects.
Total number of domain objects: 113153
Total number of valid reverse domain objects: 105785
A valid reverse domain object is one that makes sense within the DNS; it
has a set of nservers, and refers to a possible delegation (ie, its within
in-addr.arpa and has numbers between 0 and 255).
Comparing the two sets of delegation information.
Total number of domain objects that do NOT
match any derived delegation: 95051
Total number of derived delegations that do
NOT match any domain object: 16523
Total number of matches between derived
delegations and domain object: 18011
The number of domain objects is larger as the NCC has been using them to
represent authoritative reverse delegations during the recent (6 years?)
growth period of the internet.
The number of derived delegations without a matching domain object is
non-zero for two reasons; The statistics script has calculated the 'best'
delegation possible, and hasn't taken into account the possibility of a
/16 inetnum being delegated to 255 /24-level domain objects (etc), or
there are old inetnums which had their corresponding delegations created
before the current system of using domain objects.
We now compare the 18,011 domain objects that have a matching derived
delegation, and cross checking the NS sets (as are intended to be
published in the DNS) of each.
Total number of mismatches in NS sets: 10734
Total number of exact matches in NS sets: 7277
In summary;
- rev-srv attributes are used infrequently at the moment, and the
information within them has a low accuracy.
- There would be a large cleanup of inetnum objects required to ensure
that the rev-srv attributes matched the delegations in the domain
objects, and thus be usable for the creation of authoritative DNS
delegations.
- In the current proposal effort is needed to make sure that "legacy"
reverse delegations that do exist in the DNS, have a corresponding
rev-srv attribute, but do not have a DOMAIN object in the database,
get fixed.
--
Bruce Campbell RIPE
Systems/Network Engineer NCC
www.ripe.net - PGP562C8B1B Operations/Security
|
you are here: RIPE -> RIPE Maillists > Archives
