It is a problem of lack well designed user-interface in DNS packet.
DNS from the beginning presents a tool more than a product.
Most of my friends who handles DNS create some PERL scripts or so.
Or try to use something from public domain but it is not adequate sometime.
Also a miscommunication between IP provider and customer pays a big
toll: one my friend can't get a right NS address records
long time because it "illegally" cached at some providers point
and nobody knows where.
- Leonid Yegoshin.
-------------------------------------------------------------------
From: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
On Tue, 25 Apr 2000 08:18:20 PDT, Bill Manning said:
The 2q2000 data for the in-addr tree shows 77402 unique
servers answering for 693,337 zones.
19515 servers blocked/refused data. Of the 57887 that
answered, these are the numbers for improper configuration:
BAD_SERVER: 4278
FORMERR: 8
NXDOMAIN: 28
So, of the 57,887 visable servers, 4314 are improperly configured
in the visable in-addr.arpa. tree. Thats 7.45% of the
servers being "not well maintained". I know of no similar data
Does "not well maintained" include the following:
1) DNS server for the zone is originally configured correctly, and the
first 20-30 hosts are entered with a proper A record and a PTR that matches.
2) Clueful guy leaves, new DNS "goo-roo" takes over, and adds the next 300
machines with just an A record, and no PTR matching. The checks you make
would show this as "well maintained", even though 90% of the hosts are broken
with respect to PTR entries.
Given that 7% of the sites can't get past step (1), I'm willing to bet that
a lot MORE of the sites are accumulating cruft under step (2).
From: Jeffrey Altman <jaltman(_at_)columbia(_dot_)edu>
% DNS reverse lookup tables (PTR) are not as well maintained as forward
% lookup tables (A) so they're even less reliable.
This is an assertion that I've heard over the years
and I've come to beleive (based on regular audits of
the in-addr space) that this is an Internet equivalent
of an urban legend. I'd really like to see your backing
data on this.
This is hardly an urban legend. Columbia University requires the
use of tcpwrappers in Paranoid mode which requires that the forward
and reverse lookups for an IP address in DNS match. The Kermit
Project is based at Columbia University and uses its systems for
our FTP and HTTP access. A week does not go by when we do not
get complaints about people being unable to access our FTP server
due to a failure of the forward and reverse to match.
Just from the first 8 hours of logs today:
proxauth3-bb2.globalintranet.net != 212.234.59.254
hide193.nhs.uk != 195.107.47.193
marta-c-gw.caravan.ru != 212.24.53.234
su9127.eclipse.co.uk != 212.104.136.138
Granted this is hardly a scientific study. But we see this from
approximately a dozen new addresses every day.