[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)
james at now.ie
Tue Jan 8 16:52:47 UTC 2008
On Tue, Jan 08, 2008 at 03:16:44PM +0000, Paul Vixie wrote:
> i wish that every registry would do this. would it help if BIND had either
> a tool to do this, or a server option to do this in the background?
My gut reaction is it would help only a little. In my experience the main
barrier for this isn't a lack of tools. Existing generic checkers are easily
found. More likely, though, is that something can be written without much
effort to talk to the registry backend and also implement each TLD's own
idea of what tests should be performed. That's not very difficult. Throw a
little perl, python, etc. at the problem.
What made it a serious burden back when I was doing this sort of thing was
dealing with the mostly confused, occasionally irate, queries from domain
contacts who had been notified of their zone's `problem'. A registration had
a zone-contact in addition to a technical-contact but there were many, many
occasions where email sent to either ended up in some CEO's secretary's
inbox, with clueless customer support in a technically indifferent bulk
domain hosting outfit, or with the end customer who would sue me personally
if anything happened to his website (threats of litigation were an
We did a full run two or three times but as the number of delegations grew
it became infeasible to handle the volume of customer queries with a small
and already very busy technical team.
It was policy to run a delegation check when a zone was created and again
for every subsequent modification. We had to leave it at that. You could
probably argue that since we did those checks already the level of noise
created by an unprompted delegation check for our TLD would be at the lower
end of the scale (since we made sure you got things correct at least once,
at initial registration). Registries which have never done this sort of
thing before would probably fare even worse.
Times flies like an arrow. Fruit flies like bananas.
More information about the dns-operations