[Collisions] Mitigating the Risk of DNS Namespace Collisions

Rubens Kuhl rubensk at nic.br
Thu Feb 27 23:41:39 UTC 2014 

Em 26/02/2014, à(s) 13:08:000, Carsten Schiefner <dotberlin.cs at schiefner.de> escreveu:

> All,
> 
> JAS' long awaited report has eventually been published today at:
> 
> http://www.icann.org/en/news/public-comment/name-collision-26feb14-en.htm
> 
> - fruitful digestions.


After digesting it, we have some doubts about 2LD delegation procedures for TLDs that are already delegated at the time this framework comes active:
1) The wildcard version included the following for A and SRV records:
@ IN SRV 10 10 0 your-dns-needs-immediate-attention 
* IN SRV 10 10 0 your-dns-needs-immediate-attention 
@ IN A 127.0.53.53 
* IN A 127.0.53.53 

But recommendation 7 reads as this:
"ICANN require registries that have elected the 
“alternative path to delegation,” rather than a wildcard, instead publish 
appropriate A and SRV resource records for the labels in the ICANN 2LD Block 
List to the TLD’s zone with the 127.0.53.53 address for a period of 120 days. "

This suggests using 127.0.53.53 on SRV records, not "your-dns-needs-immediate-attention"... what should apply ? 

2) Consider a delegation system where all names in blacklist are delegated thru NS records to another DNS server; in this case, blockedname.TLD would have NS records and then the other DNS server would respond with 127.0.53.53 for those zones; does that goes against the procedure ? My first reading suggests it does not. 

3) Consider that answer to #2 is positive. Could the DNS server respond with a wildcard, possibly an unsigned one since 2LDs are not required to be DNSSEC-signed ? Would that fit into the purpose of controlled interruption ? Again, my first reading suggests it does. 

4) Consider that answer to #3 is negative. What would happen to a query like onename.anothername.yetanothername.blockedname.TLD ? If only blockedname.TLD returns 127.0.53.53 but other queries within such SLDs only return NXDOMAIN, wouldn't that prevent the purpose of controlled interruption ? I.e., isn't wildcarding at 2LD and beyond a requirement for this procedure to work comprehensively ? 


Rds,
Rubens
NIC.br

More information about the Collisions mailing list