I have no answer, but I can see similar problems. Even though all
nameservers are reporting the same SOA serial, the answers are
different for the question "dnc.net.nz IN NS":

[***@ganesh]% for n in 1 2 3 4 5 6 7; do
for> echo -n "ns${n}: "
for> dig @ns${n}.dns.net.nz net.nz SOA +short
for> dig @ns${n}.dns.net.nz dnc.net.nz NS +norec +short
for> done
ns1: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns2: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns3: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns4: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns2.actrix.co.nz.
internetnz.net.nz.
ns1.actrix.co.nz.
ns5: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns6: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns7: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns2.actrix.co.nz.
internetnz.net.nz.
ns1.actrix.co.nz.
[***@ganesh]%

I only get answers from ns4 and ns7. You got an answer from n6, but
that's quite possibly a different ns6 from the one I was using (ns5 and
ns6 are anycast by UltraDNS).

I'd AXFR the zones from each server and diff them, but of course I
can't. Shame that. (If the poor thinking that drove that policy was
removed, we might actually be able to deploy DNSSEC in New Zealand,
too).


Joe

That's because they don't have "useful information". They have
delegations to name servers that do.

Let's look at a NS4's actual response to your query:


$ dig dnc.net.nz. NS @ns4.dns.net.nz

; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns4.dns.net.nz
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20937
;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;; dnc.net.nz, type = NS, class = IN

;; ANSWER SECTION:
dnc.net.nz. 1D IN NS ns2.actrix.co.nz.
dnc.net.nz. 1D IN NS internetnz.net.nz.
dnc.net.nz. 1D IN NS ns1.actrix.co.nz.

;; ADDITIONAL SECTION:
ns2.actrix.co.nz. 1D IN A 203.96.16.36
ns1.actrix.co.nz. 1D IN A 203.96.16.35


The NS records are placed in the answer section of the response, and
'host" considers these answers, although note that the 'aa' flag
(authoritative answer) is not set. That's because delegation
information is not considered authoritative; if you want an
authoritative answer for the NS records of dns.net.nz, you should ask
(according to this answer) one of ns2.actrix.co.nz, internetnz.net.nz or
ns1.actrix.co.nz.

This answer is "wrong". This answer should still be delegating
responsibility for records in the dnc.net.nz domain to the name servers
mentioned in the NS list; the NS records held by ns4.dns.net.nz are
really just to help you find something that has the answer, and thus
they should really be returned in the authority section, not the answer
section, as happens when you look up something else in the delegated
zone such as an address query:


$ dig dnc.net.nz. A @ns4.dns.net.nz

; <<>> DiG 8.3 <<>> dnc.net.nz. A @ns4.dns.net.nz
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4940
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; QUERY SECTION:
;; dnc.net.nz, type = A, class = IN

;; AUTHORITY SECTION:
dnc.net.nz. 1D IN NS ns1.actrix.co.nz.
dnc.net.nz. 1D IN NS ns2.actrix.co.nz.
dnc.net.nz. 1D IN NS internetnz.net.nz.

;; ADDITIONAL SECTION:
ns1.actrix.co.nz. 1D IN A 203.96.16.35
ns2.actrix.co.nz. 1D IN A 203.96.16.36


NS4 and NS7 run BIND 8, whose logic basically goes, "do I have anything,
anywhere that matches the query? If yes, put the records in the answer
section, otherwise, put any available authority data in the authority
section."

This is different from BIND 9's (more correct) logic, which goes, "is
this domain delegated? If so, just put authority data in the authority
section, and never return data in the answer section." Thus you get the
same format answers for an NS query as for an A query; the NS records
are in the authority section, not the answer section. For example:


$ dig dnc.net.nz. NS @ns1.dns.net.nz

; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns1.dns.net.nz
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3432
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; QUERY SECTION:
;; dnc.net.nz, type = NS, class = IN

;; AUTHORITY SECTION:
dnc.net.nz. 1D IN NS ns1.actrix.co.nz.
dnc.net.nz. 1D IN NS ns2.actrix.co.nz.
dnc.net.nz. 1D IN NS internetnz.net.nz.


NS1, NS2 & NS3 all run BIND 9. NS5 & NS6 are operated by UltraDNS,
which uses their own software but has the same behaviour regarding
delegated responses.

Also, note that in the BIND 9 (and UltraDNS) responses, there are no
additional "glue" address records, because none of the delegated name
servers are within the "dnc.net.nz" domain, and therefore don't actually
need glue. (There's a bunch of reasons why putting in glue where it's
not needed is not a good idea, mostly relating to stale glue data. BIND
8 is rather generous with additional glue.)

Basically, the BIND 8 servers give "answers" to NS records queries when
they don't actually have "answers" to give. All the rest give
delegation responses, just as when faced with a non-NS record (which is
the usual case). It's all working fine. You'll see the same behaviour
in other name servers.

Hope this helps.

-- don

Umm if the reply won't be off-topic, why do you think restricting access to
the entire .nz zone file is a bad thing, and did you put in a submission on
the recent policy review?

There has been numerous examples of scammers using zone data combined with
whois lookups to do mass spams and scams. Doing our bit to make this harder
to do seems a good thing IMO.

Yes DNSSEC is a good thing also. If I have to choose (and in fact have had
to do just that) between DNSSEC and open slather on the zone file, then
minimising the ability of scammers takes first priority. The last big scam
using zone and whois data saw over NZ$500,000 sent to Australia. All the
European ccTLDs (.uk and .de amongst others) are adamant that they also will
not implement DNSSEC (as much as they would like to) uness there is a change
in the protocol which won't allow people to access their zone files.

I'm open for persuasion that the problems fixed by DNSSEC are a bigger
threat than the scams made possible by zone access, but yet to see a
convincing argument.

And yes I know the zone itself doesn't give our registrants data, but it
does give scammers a list of all valid entries, which makes it much much
easier to get all the details through whois.

DPF

One can apply for zone file access, it just isn't something one gets
automatically.
Actually it is the other way around.

Scammers have told us that they use zone files for their scams. This is not
hypothethical - this has happened with the .nz zone before it was
restricted. And those scammers actually went and defrauded .nz registrants
out of hundreds of thousands of dollars by using the zone file to get the
whois data (and yes there is significant rate limiting technology used on
the whois, but there are also scammers who use thousands of zombie machines
to not trigger the restrictions, even if it takes them a couple of months).
The scammers have actually said that the zone file data is very useful to
them, because otherwise they need to do dictionary attacks on the whois, and
they are much much easier to guard against.

I discussed the issue whether DNSSEC benefits outweighed the negatives of
open zone files with the CEO of .uk. He made the very valid (IMO) point
that the volume of complaints they have had about open zone files and whois
leading to domain name scams is some thousand times greater than the number
of complaints they have had (as in actual damage, not just a possibility)
about something which DNSSEC would have fixed.

My hope is that the specs for DNSSEC will either be modified to prevent zone
files being accessible, or that an acceptable patch will be developed, so
DNSSEC can be used on .nz.

But if that doesn't happen, well the way I see it that protecting .nz
registrants from spam and scams which have already costed .nz registrants
hundreds of thousands of dollars (and which did use a zone file), is in the
best interests of the Internet community.

Anyway thanks for elaborating on your reasons.


DPF

I'm assuming we're talking about the root nz zone here.

If you can do a zone transfer on the .nz domain, then you get a list of
all the domains currently setup (basically a list of all nz domains)
You can then walk through that and do a whois for each domain.
Spam heaven...


jfp.

------------------------------------------------------------------------
Jean-Francois Pirus <***@clearfield.com> Senior Software Engineer
Phone (+64-9) 358 2081 Clearfield Software Ltd
Fax (+64-9) 358 2083 4th Floor 8-10 Whitaker Place
Mob (+64-21) 640 779 P O Box 2348 Auckland, New Zealand
------------------------------------------------------------------------

Yes - absolutely. In a zone like .com with 30 million entries, and most
english words, the zone file is not that useful but in a zone of 160,000 it
makes life a lot easier for scammers.

DOF

I think the results speak for themselves. Since the zone file was
restricted there have been far fewer scams using the .nz whois data as the
old zone files out there get more and more stale.

One can never stop scams. One can minimise them though.
ccTLDs discussed this issue at July ICANN. Don't take this as gospel, but I
don't think a single medium or large ccTLD is going to implement DNSSEC
unmodified. In fact the Europeans have said their privacy laws would give
them grief if they do. They, like .nz, are keen to be able to implement
DNSSEC and some of them are working on the patches I referred to. By the
end of the year it may be clear what is happening.


DPF

Just on that point, InternetNZ has just set up a working group
(http://www.dnc.org.nz/story/30180-29-1.html) to review the whois policy.
As far as I know the "great and holy powers that be" don't have any
pre-ordained conclusions as to the outcome, so once they call for it,
submission on desired changes will be most useful.

The whois issue is pretty controversial as internationally free speech
advocates, anti spam forces, law enforcement agencies, consumer and privacy
groups, technical groups all have fairly strong and difficult to reconcile
views on what data should be made available in response to whois queries.

If one did not have address, fax and e-mail data listed in the whois, then
there would be far less of a reason to restrict zone file transfers. But a
lot of people find that whois data very useful for legitimate reasons.
Thuis current policy is to list it all, but restrict bulk access to it, as
best as possible.


DPF

I should point out that there is no barrier to signing the .nz zone itself
as the contents of that zone are well known and public (only 14 records).

The issue is with signing the 2LDs.

It is possible that in a moderated 2LD such as govt.nz, the 2LD community
and moderator might decide that they don't mind their zone file being
accessible (as I suspect almost all govt.nz domains are easily found or
listed anyway), and one could implement DNSSEC just on that 2LD.

DPF

Yep that was exactly that. In fact I facilitated the meeting to recommend
this as policy, and got both INZ and NZRS to sign off on implementing
DNSSEC.

However the issue of DNSSEC allowing the zone file to be revealed only
became apparent at a later stage. This meant that implementing DNSSEC would
breach existing .nz policy. This has caused large number of ccTLDs to state
they can not implement DNSSEC unless it is modified.

To find out how best to resolve this issue, a technical staffer was sent to
the last ICANN meeting to get the latest updates from .nl, Steve Crocker,
other ccTLDs about what is probably and possible. The hope is that as
DNSSEC specs had not been signed off, they could be modified to prevent the
publication of the zone. As I said many ccTLDs said they would absolutely
adopt DNSSEC if this issue could be addressed.

The position of .nz is to wait and see the final shape of DNSSEC, and delay
implementation until this is known.
The problem with this is that geek.nz is unmoderated and that is very
different to a moderated domain. A moderator does effectively speak for
their 2LD registrants. Who speaks for all 500 geek.nz registrants?

Also there could be a significant resistance from registrars to support
DNSSEC, if it only available on 0.3% of .nz domains. And unless there are
Registrars willing to test and implement it, then the Registry can't do
much.

.nz agreed to implement DNSSEC and IPv6 glue to .nz, as requested by various
people last year. It has introduced TSIG for the name servers, it will soon
have Ipv6 glue working and it did agree to implement DNSSEC and had an
implementation schedule drawn up for this. However the zone walking issue
is not a trivial one, and has put a major spanner in the works. If a
solution or workaround to it eventuates, then the original planned
implementation can happen. In the short-term I think we just have to wait
and see what eventuates.

DPF

Sorry to follow up my own post, but in a coincidence of great timing, the
DNC Office has just a few minutes ago announced (at
http://www.dnc.org.nz/story/30188-29-1.html) that feedback on the whois
policy is now able to be made to the working group. A consultation paper is
at http://dnc.org.nz/content/whois_paper_1.html and it covers what
information should be displayed, what query options there should be, and
security & system access issues.


DPF

-----Original Message-----
From: Robert Gray [mailto:***@brockhurst.co.nz]
Sent: Friday, 1 October 2004 7:30 a.m.
The debate about "walking the zone" has centered on whether this is
actually an issue, luminaries such as Joe Abley and Bill Manning have
suggested that it is not. Others, well DPF, has suggested that it is.

-----------------------------------
The debate is much wider than this. It amounts to whether or not a
technical standard circumvents a wider policy issue relating to access to
the zone file and WHOIS data. It is an international debate - although as
far as .nz is concerned it is an issue of local Internet community concern.
There is a tension between those concerned with the technical issues
relating to the DNSSEC standard and those concerned with public policy
issues - the problem plainly arises from a failure on the part of the
standards setters to take the wider policy issues into account...
Unfortunate, but certainly understandable.

Whether .geek.nz should have a difference policy set from the other
unmoderated .nz 2LDs was debated at the time it was established... The
outcome has been well canvassed on this list and I will not repeat it.

The policy relating to release of the .nz zone file has been recently
reviewed and all received views taken into account. The zone file will be
released at the discretion of the NZOC and (ultimately) InternetNZ Council
provided that there is a clear public interest and the party concerned is
prepared to sign up to strict usage criteria.

Timing (not the principle) of DNSSEC implementation is also under constant
review.

All of these matters have been debated in public, there are no hidden
agendas, the only concerns have been the best stewardship of .nz in the
interests of all Internet users and, especially, those reliant on the .nz DN
space

According to Robert Gray:

<quote>That the society wishes to ignore the views, however well informed,
of a "handful of NZNOGers" speaks volumes about the need for industry
membership of InternetNZ. Why pay money to be ignored when you can be
ignored for free.</quote>

To which the only response I can make is that democracy does have its
downside for those who find themselves in the minority.


----
Frank March
Chair, .nz Oversight committee

_______________________________________________
NZNOG mailing list
***@list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

http://www.govt.nz - connecting you to New Zealand central & local government services

Any opinions expressed in this message are not necessarily those of the Ministry of Economic Development. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivery to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Please contact the sender and delete the message and any attachment from your computer.

I've been trying to wind this thread down, but feel I have to respond to
this. This is getting off-topic for which I apologise - I would suggest any
future correspondence be by direct e-mail or transfer to another appropriate
list.

I resent any implication of a view being ignored. I say that as the person
who spent many hours in trying to make sure that the desire of the geek.nz
proponents for IPv6 and DNSSEC did not undermine geek.nz being approved, and
that .nz did make progress on IPv6 and DNSSEC. Hence I have convened
meetnmgs of interested parties, and got policy approved by InternetNZ. I
have continued to take an active interest in both issues, and was very
disappointed when the zone file issue meant that to proceed would have
breached an already existing policy. And I am sure there would be outrage
if INZ dumped an existing long standing policy, without consultation.

There is a world of difference between a view being ignored, and a view not
being agreed with. I've been at meetings of the InternetNZ Council where I
think I was on the losing side of every vote. That's the nature of things.


And the fact that myself and Keith and others actually front up here and
debate issues, rather than the old days where decisions were never debated
in public, is a good thing IMO. It would in fact be easier to just ignore
what people say as Bob suggests, but I think that is a dumb way to operate.
In fact several people have told me that I should not have responded to
Joe's original e-mail saying he disagreed with the zone file policy, but it
is because I wanted to know his views, I streted what has now become a long
thread.

As someone who is not a technical guru, I treat the views of people like Joe
and Andy with a hell of a lot of respect. But that is different from saying
I am going to agree with them automatically. And while they do a hell of a
lot more than me on DNSSEC, I actually know a hell of a lot more than most
people about how spammers and scammers do use zone file data for purposes
which are highly undesirable.


DPF