Cloudflare reverse DNS SERVFAIL, normal?

Owen DeLong owen at delong.com
Tue Aug 30 21:39:10 UTC 2016


> On Aug 29, 2016, at 17:01 , Mark Andrews <marka at isc.org> wrote:
> 
> 
> In message <20160829234737.GA16137 at cmadams.net>, Chris Adams writes:
>> Once upon a time, Mark Andrews <marka at isc.org> said:
>>> The following is general and is not directed at Cloudflare.  I know
>>> some people don't think errors in the reverse DNS are not critical
>>> but if you are delegated a zone it is your responsablity to ensure
>>> your servers are correctly serving that zone regardless of where
>>> it is in the DNS heirarchy.  Failure to do that causes additional
>>> work for recursive servers.  If you don't want to serve a zone then
>>> remove the delegation.
>> 
>> You are assuming that an authoritative server operator has some way to
>> know all the zones people delegate to their servers, and remove such
>> delegations if they don't want to handle them.  That is a wrong
>> assumption.
> 
> They have methods.  They choose not to use them.  See RFC 1033
> COMPLAINTS then after that the court system.
> 
> Mark

Let us review this and compare to your statement…

From RFC 1033:
> COMPLAINTS
> 
>    These are the suggested steps you should take if you are having
>    problems that you believe are caused by someone else's name server:
> 
> 
>    1.  Complain privately to the responsible person for the domain.  You
>    can find their mailing address in the SOA record for the domain.
> 
>    2.  Complain publicly to the responsible person for the domain.
> 
>    3.  Ask the NIC for the administrative person responsible for the
>    domain.  Complain.  You can also find domain contacts on the NIC in
>    the file NETINFO:DOMAIN-CONTACTS.TXT
> 
>    4.  Complain to the parent domain authorities.
> 
>    5.  Ask the parent authorities to excommunicate the domain.

1.	Doesn’t really apply in a situation where someone has pointed
	an NS record for a domain at your server without warning. There
	is no SOA record from which to retrieve said mailing address.

	Also doesn’t work very well in cases where the SOA record does
	not contain a valid email address that reaches someone.

2.	Do we really want NANOG buried in “Will the
	@#@[email protected][email protected]$% who delegated XYZ.COM <http://xyz.com/> NS Records to point to
	my servers <name> and <name> please cease and desist?”
	messages? Personally, I vote no.

3.	The NIC? Please explicate Mr. Andrews what that would mean
	in the modern era. Please cover both the normal case and
	the cases where domain privacy is configured.

4.	This might _MIGHT_ actually work, but I suspect that $REGISTRY
	is unlikely to help much when $REGISTRAR accepted an NS record
	from one of their customers for a domain they registered
	that happens to point to your server. Similarly, I suspect
	$REGISTRAR is going to tell you that they won’t make changes
	without authorization from the domain owner.

5.	I suspect that success in this effort will likely parallel
	the level of success I would expect in step 4.

So, now that we’ve realized that RFC-1033 is utterly useless in this
context and badly outdated to boot, let’s review your other suggestion…


“… after that [sic] the court system.”

[sic] refers to the missing comma.

So let me see if I understand correctly.

I run a pair of nameservers. Let’s call them ns1.company.com <http://ns1.company.com/> and ns2.company.com <http://ns2.company.com/>

Someone registers example.com <http://example.com/> and points NS records in the COM zone at my
nameservers.

I’m now supposed to seek judicial relief in order to compel them to stop
doing that?

Small claims doesn’t process claims seeking injunctive relief. I suppose I could
use a $1,500 or even $5,000 small claims case as a way to get their attention,
but that’s kind of an abuse of the process. If I want an injunction, at least
in California, I have to go to Superior court.

Now, first, we have to figure out jursidiction. As a general rule, jurisdiction
goes to the court which is responsible for the locale in which the event takes
place or where the contract was entered into, or the jursidiction set by the
contract. In this case, there’s no contract, so we have to look at where the
event in question occurred. The problem is that the law hasn’t really caught
up with technology in this area and depending on who ends up being parties
to the suit, the definition gets pretty murky at best. Is it the primary
office of the registry? The registrar? The registrant? The location of the
nameserver(s) which are erroneously pointed to? (What if they are anycast
all over the world?) The business address of the operator or owner of those
nameservers? Where, exactly do we file this suit?

The next problem we have is who to sue. Do we sue the domain registrant? The
registrar they used to register the domain name? etc.

Yeah, I don’t think there’s enough possibility of any sort of recovery to
make that worth the effort or expense.

Owen




More information about the NANOG mailing list