Published On -
Enhancing Reverse DNS Robustness
through Effective Implementation of
the Lame Delegation Policy
AFRINIC as the Regional Internet Registry (RIR) is guided by the resource management policies to manage its pool of Internet number resources.

These resource management policies are developed through a bottom-up and consensus-based Policy Development Process (PDP). The Internet community, consisting of individuals from different backgrounds, interested in contributing to the proper management of IP number resource policies, uses the bottom-up and consensus-based process to develop the policies.

The set of active policies are collectively put together in the “Consolidated Policy Manual” and the Policy Development Process, which is a policy on its own, is documented in Section 3 of this Policy Manual. AFRINIC staff currently use  these guidelines when evaluating resource requests and  assessing compliance from current and potential Resource Members.

We undertake various initiatives to bring awareness to various stakeholders and increase participation in the policy development process. On 8 June 2023, we held one such initiative through a webinar titled ‘Introduction to the AFRINIC Policy Development Process’ and we hope that the AFRINIC Resource members, network operators as well as Internet enthusiasts who want to be involved in the AFRINIC PDP found it useful.

As much as most policies target Internet Number Resources management, others also address the use of  services such as RPKI, reverse DNS and more.

An example of such a policy is the 'Lame Delegation' policy, which was put forward in March 2017. This policy followed the steps outlined in the Policy Development Process (PDP), ultimately achieving consensus within the AFRINIC community. After being ratified by the AFRINIC Board, the policy was implemented in two phases: the first in November 2018, and the second on April 29, 2021.

The goal of the policy proposal is to enhance the robustness of AFRINIC reverse DNS operations which is achieved by tackling unnecessary queries caused by non-functional reverse DNS registrations. The policy empowers AFRINIC to address this by removing ineffective DNS delegation records from 'domain' objects’ in the AFRINIC database. If a reverse delegation remains ineffective even after 30 days, and if no nameservers are associated with the domain object, the domain object itself is deleted from the AFRINIC WHOIS database.

Lame DNS delegation arises when an authoritative DNS name server does not adequately respond to queries for a domain name for which it is the designated Start of Authority (SOA). This could be due to one or more of these scenarios:
  • Not responding at all.
  • Responding in some way, but not for the specific domain queried.
  • Responding for the correct domain, but without the authority bit set.
The implementation guidelines for this policy are available here.

In this blog, we’ll first look at the situation in relation to non-functional reverse DNS delegations registered in the WHOIS database before the policy was proposed. Subsequently, we will evaluate the changes that occurred after the policy's implementation.

In 2016[1], the AFRINIC WHOIS Database had around 30,000 domain objects with 72,000+ Name Server (NS) records and more than 45% of lame NS records in IPv4 zones and 32% of lame NS records IPv6. This constituted around 25% of all domain objects being lame.

In October 2018, there was a noticeable upward trend in the count of lame delegations, reaching approximately 39,000.

We noted that upon the go-live of the first phase of the policy, the lame records reduced significantly over the next few months and fluctuated between 13000 and 16000 until May 2021. During the first phase, we notified Resource Members that had lame DNS delegations,  and provided guidance on how to fix the issue.

Additionally, we introduced a lame tool that enables any organisation holding resources within our service region to verify the adequacy of their nameserver configuration. Throughout this timeframe, numerous resource members collaborated with the AFRINIC Member Services team to ensure the accurate setup of their nameservers and domain objects in the AFRINIC whois database.

Through the support desk, over 400 tickets logged by the resource holders were  handled by  staff.

In April 2021, the second phase of the policy was fully implemented and went live. One month following  implementation, notably in May 2021, the numbers dropped by about 9,665 lame delegation records. This also consequently led to the deletion of around 3101 reverse domain names that had all their name servers identified as lame. As of 31 July 2023, we observed that the lame delegation records had further decreased averaging around 1,700 through the months.
These lame records are presently being managed by 152 resource holders (legacy resource holders and Resource Members)  in the AFRINIC whois database. So we looked at the distribution of these lame records according to the type of resource holders. 26% of the lame records are managed by AFRINIC Resource Members and 74% by the legacy resource holders.
After checking the registration date and Contact verified date of the Resource Members, we observed that the Contact verified date for the latter group was on or before November 2021. Among these, 6 members had not verified their contact information at all, while the rest had completed the verification process at least once since 2021. To ensure adherence to our policies, we strongly advise these Resource Members to consider the following precautionary steps:

  • The administrative and technical contacts of the AFRINIC Resource Members need to ensure that their nameservers are properly configured for their reverse zones before registering their domain objects in the AFRINIC whois database.
  • Use the lamechecker tool that is freely available for their use to verify their nameserver configurations.
On the other hand, the lame delegations linked to resources managed by legacy resource holders are not deleted from the AFRINIC whois database. Notifications are sent to their provided email addresses, if available. The legacy resource holders do not have any contractual agreement with AFRINIC and in most cases do not update their contact information. The lame records they create in the whois database remain until they update their records after receiving the lame notifications.

Conclusion

Having noticed a 96% drop in the number of lame delegations between 2018 to date, it is clear that the implementation of this policy has helped towards reducing misconfigurations that negatively impact on DNS stability.

To further reduce lame delegation records in the AFRINIC whois database, resource holders can play their part by maintaining up-to-date contact details and adopt recommended practices for establishing reverse DNS.

For further reading, we recommend the following related links:

Consolidated Policy Manual section 10.7:
https://afrinic.net/policy/manual#lame
Reverse DNS Support Documentation.
DNS troubleshooting best practices are recommended in RFC 1912: https://www.ietf.org/rfc/rfc1912.txt