Human Errors as a Cause of DNS Failure

[Simon Waters]

phn at icke-reklam.ipsec.nu wrote:
> 
> How come that a group of admins for an area is so cluless and does
> such a bad job ad dns admins seems to do. What other group of
> professionals can get away with a 71.1% error rate ??

Doctors? Aren't medical mistakes the 3rd, 5th or 8th, leading
cause of preventable death, depending whose survey you read?

71% makes a good headline, but not all Single Points of failure
are an error, one of the zones I pay for has this problem, but
it isn't a significant issue for that zone (yet), at least not
worth the time/effort to put right, when it is be assured it
will be mirrored elsewhere.

Similarly it isn't clear to me why allowing zone transfer or not
is listed, it might be security through obscurity, but that
doesn't make either option clearly wrong. You gets zones that
allow zone transfer, and show only the webserver and mail
server, and you get zones which allow zone transfer and list the
IP address (and descriptive name) of every network device in
their company, down to the Office laserjets. Even allowing zone
transfer from some could be explained if they use a secondary
service that denies it by default.

Having more nameservers in a zone than in the delegation is
probably counted as an error, and whilst it isn't good form, for
as long as the delegation itself is suitably redundant it is
hardly up there with littering, or leaking private address
space....

Many medical errors only come to light when the patient dies,
complains or switches doctor, and no doubt many are buried.
Similarly most DNS "errors" that don't break a zone won't get
fixed till someone reports it, or a clueful admin appears.

Another interesting point is that this is 2000 zones at random,
I wonder what happens if you weight the sample by usage, as I
expect busier zones are better configured, where as 2000 zones
at random might well include a lot of low traffic, or even
parked zones.

Having argued down the figure I would suggest that things like
allowing recursion, particularly on TLD, and SLD under country
codes, and failure to follow other guidelines for nameserver
configuration are probably as great or greater sins, and also
widespread.

My own local survey suggested none of my local companies that
manage their own DNS have flawless DNS configurations, whilst a
couple of the leading UK ISPs have near perfect configurations
for all the zones they manage. So maybe the trouble is not lack
of professionalism, but an unwillingness to use the
professionals*.

My advice to most of those who want to run their own DNS is
"don't, let your ISP do it", and if they respond they are not
confident in their ISPs ability to do so, I suggest they switch
ISP.... 

It is worrying how many people trust their Internet connection
to an organisation they wouldn't trust to configure a DNS
server.

 Simon

* Although I did once write to the "DNS Management team" of a
national telephone company of a large industrialised country to
ask if they knew their own companies delegation was lame ;)