Implementation of Implementation of ARIN's Lame DNS ARIN's Lame DNS Delegation PolicyDelegation Policy

Edward LewisResearch Engineer

ARIN

edlewis@arin.net

June 3, 2003 NANOG 28 2

AbstractAbstract

The membership of ARIN has approved a policy to curb lame delegations

The staff is implementing it and has already seen a reduction

This presentation will outline the policy, results, and how ARIN is interacting with registrants and registries

June 3, 2003 NANOG 28 3

BackgroundBackground

MAR 2002 – Proposed on ARIN ppml (list)

APR 2002 – Discussion at ARIN IX

JUN 2002 – Measured extent of problem

SUM 2002 – Discussion on email lists

OCT 2002 – Discussion at ARIN X

NOV 2002 – Policy adopted

DEC 2002 – Implementation activity begins

June 3, 2003 NANOG 28 4

Policy SummaryPolicy Summary

June 3, 2003 NANOG 28 5

Policy SummaryPolicy SummaryFour Phases

June 3, 2003 NANOG 28 6

Policy SummaryPolicy SummaryFour Phases• Test

June 3, 2003 NANOG 28 7

Policy SummaryPolicy Summary

Identify Lame Delegation

Four Phases• Test

June 3, 2003 NANOG 28 8

Policy SummaryPolicy Summary

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 9

Policy SummaryPolicy Summary

E-mail the network POC Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 10

Policy SummaryPolicy Summary

E-mail the network POC Identify Lame Delegation

If No Contact

Proceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 11

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 12

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Identify Lame Delegation

If No Contact

Proceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 13

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 14

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC

Identify Lame Delegation

If No Contact

Proceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 15

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 16

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

If No Contact

Proceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 17

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact• Evaluate

June 3, 2003 NANOG 28 18

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Wait 30 Days

Four Phases• Test• Attempt Contact• Evaluate

June 3, 2003 NANOG 28 19

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Delegation Declared Lame

Wait 30 Days

Four Phases• Test• Attempt Contact• Evaluate

June 3, 2003 NANOG 28 20

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Delegation Declared Lame

Wait 30 Days

Four Phases• Test• Attempt Contact• Evaluate• Remove Delegation

June 3, 2003 NANOG 28 21

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

• Remove NS Delegations

• Update WHOIS Record

• Delegation Determined to be Lame

• Evaluation Date of the Lame Delegation

• Contact has been Attempted Unsuccessfully

• Date Record Updated

Delegation Declared Lame

Update Record

Four Phases• Test• Attempt Contact• Evaluate• Remove Delegation

Wait 30 Days

June 3, 2003 NANOG 28 22

Lame Delegation TestLame Delegation Test

Query for SOA record of zoneTry all IP addresses for each server of

zone

In response, flag as lame if:No Authoritative Answer (AA) bit setAA bit set, but an empty answer sectionAA bit set, but answer is not an SOA

record

June 3, 2003 NANOG 28 23

What is Not FlaggedWhat is Not Flagged

Not flagged as lame in this round of

testing:No IP address for name server

No answer from server

This will be flagged in the future

June 3, 2003 NANOG 28 24

TimelineTimeline

13 Mar

Test

4-6 Mar

1st Notice

18-20 Mar

2nd Notice

27 Mar

Test

15 Feb

Test

30 May

Test

15 May

Notice

12 May

Test

Notify Network POC

Notify Autonomous System POC

June 3, 2003 NANOG 28 25

Zone ResultsZone Results

Zones Checked

Flagged for Lameness

13 Feb 198,213 55,281

27 Mar 55,281 35,944

12 May 55,281 28,735

30 May 55,281 34,625

June 3, 2003 NANOG 28 26

Server ResultsServer Results

13 Feb findings, percentage of servers77% not flagged as lame

(good OR no address/answer)19% Authoritative Answer bit set to 04% with empty answer section<1% with a non-SOA answer (CNAME)

June 3, 2003 NANOG 28 27

Notification Results Notification Results

Telephone Email

1st Notice 125 119

2nd Notice 91 141

3rd Notice - approx. 150 calls in first few days

June 3, 2003 NANOG 28 28

Help Desk ActionsHelp Desk Actions

Determine the problem/exact questionUse “Lame” tool, BIND’s dig toolReview results with registrant

Explain expected resultsWalk through steps to correct ARIN DB entryRefer registrant for further assistance:Their local supportVendor of their name serverBIND documentation (if using a BIND server)

June 3, 2003 NANOG 28 29

ObservationsObservations

People are interestedWant to correct problem

Want to know what this is about

Based on feedback from community:http://www.arin.net/registration/lame_delegations/index.html

This will be a deliberate process

June 3, 2003 NANOG 28 30

Next StepsNext Steps

Continue notification as per policy

Update database information

Continue testing for lameness

Identify engineering issues with testing

Identify implementation issues

Share experiences with other registries

June 3, 2003 NANOG 28 31

Email AddressesEmail Addresses

Discussions of lame delegations are happening in other regions tooAPNIC SIG on DNS issues

<sig-dns.lists.apnic.net>

RIPE DNS Working Group<dns-wg.ripe.net>

Tool-specific mailing listsMy address: edlewis@arin.net