[Community-Discuss] Yet more data base problems/inconsistancies

[Ben Maddison]

Hi Ronald,

On 11/28, Ronald F. Guilmette wrote:

> My apologies for having failed to report to this recent message

> sooner.

> 

> In message <9E14BB14-159B-4877-A1F6-3B436FF8832D at afrinic.net>, 

> AFRINIC Communication <comms at afrinic.net> wrote:

> 

> >Following your inquiry regarding the existence of inconsistencies 

> >between reverse DNS delegation records within the WHOIS Database and the 

> >published RDNS zone files at ftp://ftp.afrinic.net/pub/zones/ directory, 

> >we have carried out further analysis and below are the findings.

> >

> >1.     This situation is a result of the presence of overlapping records 

> >in the WHOIS Database. The script that picks and publishes to the ftp 

> >picks only the reverse DNS domain covering the less specific prefix, for 

> >instance with reference to the example provided, the ftp file contains 

> >the record for 203.196.in-addr.arpa and not any other more specific 

> >reverse DNS records such as  35.203.196.in-addr.arpa

> >

> >2.     These overlapping records are historical and date back to the 

> >period between 2004 - 2007 and the whois at that time did not have the 

> >checks that guard against creation of these overlaps.

> >

> >The issue regarding the existence of these overlaps in the WHOIS 

> >Database was raised by staff during the first database working group 

> >session at AIS-19 in Kampala, for the best way forward on resolving this 

> >and the consensus was that nothing should be done. The DBWG session 

> >report is available here:

> >

> >https://lists.afrinic.net/pipermail/dbwg/2019-June/000140.html

> >

> >Going forward, we intend to ensure that these overlapping records are 

> >cleared and no longer present inconsistencies.

> 

> I'm sorry, but I must take issue, in a modest way, with this chosen

> resolution.

> 

> I believe that you have explained the "issue" of the "overlapping"

> reverse DNS delegations clearly, but I am not persuaded that there

> is actually any problem here, other than that some of the AFRINIC

> reverse DNS delegations were not being represented in the public

> AFRINIC zone file(s).

> 

> I must ask the question: Why should it be considered to be either "bad"

> or even "a problem" if AFRINIC maintains reverse DNS delegations for,

> say, some /16 and also and separately, maintains a different reverse

> DNS delegation for some particular /24 block which is a part of that

> larger containing /16 block?

> 

This seems fairly clear, to me at least, that having delegations at the
same authoritative nameserver for a subdomain and a
subdomain-of-a-subdomain is problematic.

Consider:
ns-a delegates foo.example.com to ns-b
           and bar.foo.example.com to ns-c
ns-b delegates bar.foo.example.com to ns-d

Who is authoritative for host.bar.foo.example.com?

I haven't checked whether this is permitted by the RFCs, but even if it
is, it seems like a readily avoidable recipe for breakage. And one
without an obvious benefit that I can see.

Maybe someone here knows the answer definitively?
Or can think of a use-case that would require this kind of a delegation?

Cheers,

Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20201130/b16a589b/attachment.sig>