From egoshin at ihep.su Wed May 3 22:48:22 1995 From: egoshin at ihep.su (Leonid A.Yegoshin) Date: Wed, 3 May 95 23:48:22 +0300 (GMT+3:00) Subject: URGENT: WG agendas References: <9504280919.AA00618@ncc.ripe.net> Message-ID: Hello, I can support the proposal about changing current working of DNS WG by the next topic list for agenda: 1. What is need to keep in RIPE DB about DNS ? 2. Whats about primary/secondary disposition ? (in terms of rules for service providers & customers) 3. Net failure & DNS - where is level of backup, what connectivity lost is essential for Europe net ? 4. DNS & network security (incl DNS security itself) 5. Mail routing & DNS - whats about network load balancing ? - Leonid Yegoshin, LY22. From ncc at ripe.net Thu May 4 12:02:12 1995 From: ncc at ripe.net (RIPE NCC Staff) Date: Thu, 04 May 1995 12:02:12 +0200 Subject: Number of domain objects in RIPE database Message-ID: <9505041002.AA29198@ncc.ripe.net> Action: 20.11 RIPE NCC To investigate (as time permits) distribution of the domain information in the RIPE database and to investigate a "private" approach for referrals. Dear working group members, Relating to Action Item 20.11 from the previous RIPE meeting I have been asked to produce and send out some statistics about the number of domain objects in the RIPE database. You will find them below. I hope they are self-explanatory. Regards, Roderik Muit RIPE NCC AT : 132 objects, 25 different second-level domains BE : 481 objects, 458 different second-level domains BG : 28 objects, 28 different second-level domains CH : 709 objects, 709 different second-level domains COM : 5 objects, 5 different second-level domains CS : 4 objects, 4 different second-level domains CZ : 276 objects, 276 different second-level domains DE : 1512 objects, 1510 different second-level domains DK : 219 objects, 219 different second-level domains EE : 5 objects, 3 different second-level domains ES : 1 objects, 1 different second-level domains FI : 166 objects, 165 different second-level domains FO : 13 objects, 13 different second-level domains FR : 878 objects, 869 different second-level domains GA : 2 objects, 2 different second-level domains GL : 2 objects, 2 different second-level domains GR : 6 objects, 6 different second-level domains HU : 260 objects, 259 different second-level domains IE : 10 objects, 10 different second-level domains IL : 270 objects, 7 different second-level domains IS : 63 objects, 52 different second-level domains IT : 713 objects, 487 different second-level domains LI : 5 objects, 5 different second-level domains LT : 60 objects, 60 different second-level domains LU : 6 objects, 6 different second-level domains LV : 2 objects, 2 different second-level domains NET : 13 objects, 12 different second-level domains NL : 1559 objects, 1558 different second-level domains NO : 936 objects, 771 different second-level domains PL : 7 objects, 4 different second-level domains PT : 105 objects, 105 different second-level domains RO : 1 objects, 1 different second-level domains RU : 1 objects, 1 different second-level domains SE : 7 objects, 7 different second-level domains SK : 165 objects, 165 different second-level domains SU : 4 objects, 4 different second-level domains TN : 3 objects, 3 different second-level domains TR : 6 objects, 3 different second-level domains UA : 3 objects, 2 different second-level domains UK : 20 objects, 3 different second-level domains YU : 7 objects, 7 different second-level domains 164: 1 reverse delegations 192: 22 reverse delegations 193: 297 reverse delegations 194: 105 reverse delegations From Benoit.Grange at inria.fr Fri May 5 12:30:28 1995 From: Benoit.Grange at inria.fr (Benoit Grange) Date: Fri, 5 May 1995 12:30:28 +0200 Subject: A tool to check if a host takes care of UDP checksum Message-ID: <199505051030.MAA11038@vespucci.inria.fr> Hello, I've written a small tool to see if a host takes care of UDP checksums. This may be important for DNS operation, as corrupted packets without UDP checksums can break some DNS servers. Thanks to an idea of Francis Dupont, the motus operandi is to send a packet with a BAD udp checksum and to see if the host processes it, usually responding with an ICMP PORT UNREACHABLE. If yes, the host is broken. If no ICMP message is received, either the network is broken or the host is fine. This work because most of the host that do not generate UDP checksums will not check UDP checksums of incoming packets (this clearly violates the RFCs...). It is a lot easier to do things this way by sending bad packets and waiting for a reply than trying to look into received packets to see if the checksum is corret. The latter solution requires some network tapping, and may not be easily portable. ckudpcksum is available at: ftp://ftp.nic.fr/pub/autres/dns-wg/ckudpcksum.tar.gz Read the manual, and please DO NOT overuse the program as remote hosts will increment MIB counters each time a wrong packet is received. -- Benoit Grange NIC France E-Mail: nic at nic.fr Personnal E-Mail : Benoit.Grange at inria.fr From Benoit.Grange at inria.fr Fri May 5 12:54:27 1995 From: Benoit.Grange at inria.fr (Benoit Grange) Date: Fri, 5 May 1995 12:54:27 +0200 Subject: A tool to check DNS zones before installing them Message-ID: <199505051054.MAA11053@vespucci.inria.fr> Hello, I've written a tool to check if a zone is correctly configured before delegating it (or to check tge zone anyway, but the tool does not require that the zone is delegated from the upper level servers). This tool is being used locally at NIC France and I make it available, hoping this will interest other sites. http://www.nic.fr/ZoneCheck Please try it, and report comments to Benoit.Grange at inria.fr At this time, this tool is completly experimental... please do *not* advertise it now to end users. -- Benoit Grange NIC France E-Mail: nic at nic.fr Personnal E-Mail : Benoit.Grange at inria.fr From Piet.Beertema at cwi.nl Mon May 8 10:46:16 1995 From: Piet.Beertema at cwi.nl (Piet Beertema) Date: Mon, 08 May 1995 10:46:16 +0200 Subject: URGENT: WG agendas In-Reply-To: "Your message of Wed, 3 May 95 23:48:22 +0300 (GMT+3:00) " Message-ID: <9505080846.AA11683=piet@kraai.cwi.nl> 1. What is need to keep in RIPE DB about DNS ? Nothing. There is no point in duplicating information: it only makes managing the information harder. There would be nothing against automating things though, just like I've done it with the NL TLD whois server: a query to that server for any domain under .NL causes the server to automatically query DNS, and the results are included in the answer. And if any inconsistency is detected between the NL DNS info and the NL administration, a notification is sent to the TLD registrar. Piet From egoshin at ihep.su Mon May 22 22:54:49 1995 From: egoshin at ihep.su (egoshin at ihep.su) Date: Mon, 22 May 95 23:54:49 +0300 (MSD) Subject: WG minutes draft Message-ID: Hello, Below you find the minutes draft of our meeting during RIPE 21 at Rome. You comments are welcome. - Leonid Yegoshin, LY22 -------------------------------------------------------------- DNS working group Chair: Leonid Yegoshin Scribe: Leonid Yegoshin We discussed agenda points in reverse order due to chair initiative. Leonid Yegoshin proposed to speak about new topics before old ones. 1. Mail routing & DNS - what about network load balancing ? Leonid Yegoshin gave short introduction about network resourse load balancing. The primary purpose of it are to diminish load on server hosts and decrease network traffic. Also it is very unlike then mail from one internal host to another internal host going to neigbour organisation or just country follow a MX record set of destination point. There are some activities to split load on network resourses: - use round-robin in DNS answers (BIND 4.9.3) - use short TTL of A records with recalculation of hosts load (see RFC 1794) - use separate sets of name servers for internal and world nets with different representation of DNS tree. Leonid Yegoshin described yet another decision for network resourse load balancing and gave short overview of experimental version of RU-BIND with "region" Resourse Records. This approach based on diversity of sourse IP addresses of DNS requests and description CIDR-syntax net regions in DNS zone. Some discussion were at this point about problems and dangers of this approach. One question was about caching RR's in high level name servers. Answer was that there is TTL=0 which don't cached but used an any way. Another question was about multiply RR's and it's combination in regions. There is the difference in security goal and load balancing - it is not a way to hide some RR's due to forwarder use. Dmitri Sidelnikov said that it is very dangerous approach - it can increase chaos in Internet and debug problems. Leonid Yegoshin lets take in attention that DNS UDP packet size limit is too small to transfer "region" RR of some providers and can be increased for it. Moreover XFER of "regions" require to change XFER format. Carl Malamud suggest Leonid Yegoshin to write RFC draft about it. This suggestion was supported by somebody else. Leonid Yegoshin final question "how many providers are interesting in network resourse load balancing" was remained without definite answer but there was opinion that it will be interesting. 2. DNS & network security (incl DNS security itself) The question "why is it need?" was clear. Commercial server providing require the relayable check of client source domain name (as another information in DNS). No objection was against this point expounded by Leonid Yegoshin. Now there are three ways to check it: - reverse domain check. It is very popular but in general case it is very simple to crash by experienced hacker. Moreover it is crashed time-to-time by some BIND bugs. - Source Responsibility Check (in RU-BIND, ftp://ftp.kiae.su/) or VALIDITY option in BIND 4.9.3. It accept RR's the only from responsible name server, not from arbitrary source. It is powerfull feature but unfortunately it is not work (yet?) in 4.9.3 - some comment exists that VALIDITY is not fully debugged. And it can't protect packet spoofing. - cryptographic sign of DNS exchange. There is RFC draft from DNSSEC WG of IETF for it. Some discussion was started from this point about situation in different countries with cryptography and electronic sign. - Russia (Dmitri Sidelnikov, Leonid Yegoshin cont.) forbidden by default, but license can be obtained from goverment body. Unfortunately it is already clear that the only methods from Russian FAPSI would be licensed (FAPSI is Federal Agency for Goverment Communication and Information). There is the difference between encryption and electronic sign in FAPSI policy, but it is unclear yet. Also the reality is the only FAPSI methods would be used as proof in court - all cryptoanalitic experts are FAPSI experts. - NL (Rob Blokjil) - draft to forbidden was rejected now. - France (Francis Dupont) - forbidden. Electronic sign is legal the only after announce the partners name for message exchange. No any proposal or decision for Europe was done yet about DNS electronic sign. It is obvious that there is very difficult political problem. I think that addition mail discussion is need about situation. Also it is important due to IPv6 authentication & encryption options. 3. What is need to keep in RIPE DB about DNS ? There was not very long discussion about agenda point. There is the objection against keeping information in two places - RIPE DB and DNS. Moreover Piet Beertema has the strong objection against the hold any information about DNS in RIPE DB which was repated in his mail to dns-wg after WG meeting. Nobody insist on holding. After short discussion how we can find in DNS tree the phone/fax and other (TXT records was again proposed for that) David Kessens was offered to propose "something" about distributed access to info (in offline, after meeting). Nobody said anything about separation the organisation and interorganisation domains. 4. What about primary/secondary disposition ? Net failure & DNS - where is the level of backup, what connectivity lost is essential for the European nets ? This topics was discussed together due to lack of time. France and some other time-to-time meet strange problems with root name server access. Discussion about influence of short UDP packet size problem and long root DNS list started. Carl Malamud said what root name servers are need to re-establish near *IX and it can help the problem. Leonid Yegoshin suppose to investigate problems with DNS failure to find the reasons (by himself) in offline. Any provider who has unexplained DNS problem is suggested to contact him about study. 5. After WG meeting. Some talks at lunches found yet another problem with current DNS in CIDR environment - reverse domains for Very Small Enterprises. Now in-addr.arpa standart has minimum 256 hosts in a single zone, and it is an uncomfortable maintenance with VSE. If DNS would be changed some way can be found to decide this large limit.