[ncc-services-wg] Reverse DNS Restructuring Project

On Wed, 8 Oct 2003, Olaf M. Kolkman wrote:

> I agree "Clarity good, Confusion bad". I have not yet had the change
> to study all implications of getting rid of the "rev-srv:". But we'll
> look at this and get back on this issue; probably in the clean-up proposal
> that is to follow or in a separate proposal.

In the context of the above I have some additional data that we have
extracted from the database.

As the wider audience may be aware, the 'rev-srv' attribute in the inetnum
(and inet6num) objects is the rather early predecessor of using the
'domain' object and its 'nserver' attributes to represent a reverse
delegation.

The 'rev-srv' attribute, while it has never been depreciated and is not
used as a source for authoritative DNS data, is still able to be used as
an informational attribute.  For purposes of this discussion, I've
compared the contents of the inetnum 'rev-srv' attribute with the domain
'nserver' attribute.

For the comparison I also introduce the concept of 'derived delegation'. A
'derived delegation' is essentially working out which 'in-addr.arpa'
delegation would best match the inetnum.  Effectively, a /15 inetnum
becomes two /16-level 'derived delegations', and a /17 inetnum becomes 128
/24-level 'derived delegations'.

First the data for reverse delegation information in inetnum objects.

	Total number of inetnum objects:		879691
	Total number of inetnum objects with rev-srv:    54921 (6%)
	Total number of derived delegations:		 27804 (3%)

The fact that the number of derived delegations is smaller than the number
of objects with rev-srv attributes is accounted for by inetnums which
either cover very large ranges (/8 and greater) or smaller ranges (/25 and
lesser) which we do not delegate directly.

Secondly, the data for reverse delegation information in domain objects.

	Total number of domain objects:			113153
	Total number of valid reverse domain objects:	105785

A valid reverse domain object is one that makes sense within the DNS; it
has a set of nservers, and refers to a possible delegation (ie, its within
in-addr.arpa and has numbers between 0 and 255).

Comparing the two sets of delegation information.

	Total number of domain objects that do NOT
		match any derived delegation:		 95051
	Total number of derived delegations that do
		NOT match any domain object:		 16523
	Total number of matches between derived
		delegations and domain object:		 18011

The number of domain objects is larger as the NCC has been using them to
represent authoritative reverse delegations during the recent (6 years?)
growth period of the internet.

The number of derived delegations without a matching domain object is
non-zero for two reasons; The statistics script has calculated the 'best'
delegation possible, and hasn't taken into account the possibility of a
/16 inetnum being delegated to 255 /24-level domain objects (etc), or
there are old inetnums which had their corresponding delegations created
before the current system of using domain objects.

We now compare the 18,011 domain objects that have a matching derived
delegation, and cross checking the NS sets (as are intended to be
published in the DNS) of each.

	Total number of mismatches in NS sets:		 10734
	Total number of exact matches in NS sets:	  7277

In summary;

 - rev-srv attributes are used infrequently at the moment, and the
   information within them has a low accuracy.

 - There would be a large cleanup of inetnum objects required to ensure
   that the rev-srv attributes matched the delegations in the domain
   objects, and thus be usable for the creation of authoritative DNS
   delegations.

 - In the current proposal effort is needed to make sure that "legacy"
   reverse delegations that do exist in the DNS, have a corresponding
   rev-srv attribute, but do not have a DOMAIN object in the database,
   get fixed.

-- 
                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B             Operations/Security