What DNS Is Not

Edward Lewis Ed.Lewis at neustar.biz
Tue Nov 10 00:59:58 UTC 2009

At 0:32 +0000 11/10/09, bmanning at vacation.karoshi.com wrote:

>	not being Paul, its rude of me to respond - yet you posted this
>	to a public list ... so here goes.
>	Why do you find your behaviour in your domains acceptable and yet the
>	same behaviour in others zones to be "a Bad Thing"...

Not being anyone who has posted on this thread on a public list...

I agree that the rules for what is acceptable in the operations of 
DNS zones vary from zone to zone.  This is because of the different 
relationships between the zone administrator and the entities 
represented in the zone and the different relationships between the 
zone administrator and the relying parties.

(I"m just going to pick on one "reason.")

For the root zone or aTLD (which themselves have differences) the 
relationships tend to be global, multilingual, etc.  Stability and 
coherence here are vital for operations, because as you know being in 
"operations" really means "handling outages." Once a problem pops up, 
it might take a while (hours, days) to go from report to root cause 
analysis to long-term fix.  If the root and TLDs have lots of "bells 
and whistles" then, well, this is hard, so the root and TLDs are kept 

For a zone "lower in the stack" assumptions are different.  Generally 
speaking, the zone represents a single entity (a government agency, 
store, school) who will have a varying degree of active management of 
what is in the zone.  They may even be able to "roll back" to some 
point in time and see what is in the zone.  On-the-fly response 
generation is even acceptable because they can see what mislead 
someone, etc. (if they zone is properly run).  And by on-the-fly I am 
including wildcards generated answers, calculated answers or answers 
based on source of the request, etc., and other demographics or 
current load measures.

As far as relying parties, think about "who do I call?" when I can't 
get through.  They have two obvious choices - their ISP or the 
organization they want to reach.  Calls will end up with the ISP if 
the issue is high up in the zone, calls might get to the organization 
if the problems are lower in the tree.   (Because perhaps they got to 
the main web page but not to the department page.)

This is just one reason why it's reasonable to manage different DNS 
zones differently, why the "rules" don't apply the same everywhere. 
There are many other reasons.  But this is a public list.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.

More information about the NANOG mailing list