Implementation of Implementation of ARIN's Lame DNS ARIN's Lame DNS Delegation PolicyDelegation Policy

Edward LewisResearch Engineer

ARIN

edlewis@arin.net

June 3, 2003 NANOG 28 2

AbstractAbstractThe membership of ARIN has approved a policy to curb lame delegationsThe staff is implementing it and has already seen a reductionThis presentation will outline the policy, results, and how ARIN is interacting with registrants and registries

June 3, 2003 NANOG 28 3

BackgroundBackgroundMAR 2002 – Proposed on ARIN ppml (list)APR 2002 – Discussion at ARIN IXJUN 2002 – Measured extent of problemSUM 2002 – Discussion on email listsOCT 2002 – Discussion at ARIN XNOV 2002 – Policy adoptedDEC 2002 – Implementation activity begins

June 3, 2003 NANOG 28 4

Policy SummaryPolicy Summary

June 3, 2003 NANOG 28 5

Policy SummaryPolicy SummaryFour Phases

June 3, 2003 NANOG 28 6

Policy SummaryPolicy SummaryFour Phases• Test

June 3, 2003 NANOG 28 7

Policy SummaryPolicy Summary

Identify Lame Delegation

Four Phases• Test

June 3, 2003 NANOG 28 8

Policy SummaryPolicy Summary

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 9

Policy SummaryPolicy Summary

E-mail the network POC Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 10

Policy SummaryPolicy Summary

E-mail the network POC Identify Lame Delegation

If No ContactProceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 11

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 12

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Identify Lame Delegation

If No ContactProceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 13

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 14

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC

Identify Lame Delegation

If No ContactProceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 15

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 16

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

If No ContactProceed to Next Step

Four Phases• Test• Attempt Contact

June 3, 2003 NANOG 28 17

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Four Phases• Test• Attempt Contact• Evaluate

June 3, 2003 NANOG 28 18

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Wait 30 Days

Four Phases• Test• Attempt Contact• Evaluate

June 3, 2003 NANOG 28 19

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Delegation Declared Lame

Wait 30 Days

Four Phases• Test• Attempt Contact• Evaluate

June 3, 2003 NANOG 28 20

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

Delegation Declared Lame

Wait 30 Days

Four Phases• Test• Attempt Contact• Evaluate• Remove Delegation

June 3, 2003 NANOG 28 21

Policy SummaryPolicy Summary

E-mail the network POC E-mail the ASN POC

Telephone the network or ASN POC Postal Mail the network or ASN POC

Identify Lame Delegation

• Remove NS Delegations• Update WHOIS Record

• Delegation Determined to be Lame• Evaluation Date of the Lame Delegation • Contact has been Attempted Unsuccessfully • Date Record Updated

Delegation Declared Lame

Update Record

Four Phases• Test• Attempt Contact• Evaluate• Remove Delegation

Wait 30 Days

June 3, 2003 NANOG 28 22

Lame Delegation TestLame Delegation TestQuery for SOA record of zoneTry all IP addresses for each server of

zone

In response, flag as lame if:No Authoritative Answer (AA) bit setAA bit set, but an empty answer sectionAA bit set, but answer is not an SOA

record

June 3, 2003 NANOG 28 23

What is Not FlaggedWhat is Not FlaggedNot flagged as lame in this round of testing:No IP address for name serverNo answer from server

This will be flagged in the future

June 3, 2003 NANOG 28 24

TimelineTimeline

13 Mar

Test

4-6 Mar

1st Notice

18-20 Mar

2nd Notice

27 Mar

Test

15 Feb

Test

30 May

Test

15 May

Notice

12 May

Test

Notify Network POC

Notify Autonomous System POC

June 3, 2003 NANOG 28 25

Zone ResultsZone ResultsZones

CheckedFlagged for Lameness

13 Feb 198,213 55,281

27 Mar 55,281 35,944

12 May 55,281 28,735

30 May 55,281 34,625

June 3, 2003 NANOG 28 26

Server ResultsServer Results13 Feb findings, percentage of servers77% not flagged as lame

(good OR no address/answer)19% Authoritative Answer bit set to 04% with empty answer section<1% with a non-SOA answer (CNAME)

June 3, 2003 NANOG 28 27

Notification Results Notification Results Telephone Email

1st Notice 125 119

2nd Notice 91 141

3rd Notice - approx. 150 calls in first few days

June 3, 2003 NANOG 28 28

Help Desk ActionsHelp Desk ActionsDetermine the problem/exact questionUse “Lame” tool, BIND’s dig toolReview results with registrant

Explain expected resultsWalk through steps to correct ARIN DB entryRefer registrant for further assistance:Their local supportVendor of their name serverBIND documentation (if using a BIND server)

June 3, 2003 NANOG 28 29

ObservationsObservationsPeople are interestedWant to correct problemWant to know what this is aboutBased on feedback from community:http://www.arin.net/registration/lame_delegations/index.html

This will be a deliberate process

June 3, 2003 NANOG 28 30

Next StepsNext StepsContinue notification as per policyUpdate database informationContinue testing for lamenessIdentify engineering issues with testingIdentify implementation issuesShare experiences with other registries

June 3, 2003 NANOG 28 31

Email AddressesEmail AddressesDiscussions of lame delegations are happening in other regions tooAPNIC SIG on DNS issues

<sig-dns.lists.apnic.net>RIPE DNS Working Group

<dns-wg.ripe.net>Tool-specific mailing listsMy address: edlewis@arin.net