[dns-operations] Some DNSSEC trivia

Andrew Sullivan andrew at ca.afilias.info
Tue Jan 8 16:56:55 UTC 2008

On Tue, Jan 08, 2008 at 10:25:57PM +1100, Mark Andrews wrote:
> 	Doesn't AFNIC believe in following RFC 1034?
> 	That REQUIRES periodic checks of delegations.
> As the last installation step, the delegation NS RRs and glue RRs
> necessary to make the delegation effective should be added to the parent
> zone.  The administrators of both zones should insure that the NS and
> glue RRs which mark both sides of the cut are consistent and remain so.

Any time I have proposed any checks of this kind, I have been told
(not terribly politely) that the ICANN world (and especially the
registrar-population part of it) considers the management of that DNS
_data_ to be entirely within their purview.  The registry is just
supposed to take whatever data the registrars put in there, subject to
the condition that it must not outright violate the wire protocols in

Doing as you propose would move what is really a policy ("enforce
consistency across zone cuts") from the registrar's area of
responsibility to the registry's area of responsibility.  Since ICANN
registries are contractually forbidden from communicating directly
with registrants, this would create the unhappy situation where
registries would occasionally have the responsibility of making a name
dark without the concomitant ability to contact the registrant in
question in an effort to head off that effect.  Surely "domains seemingly
randomly go dark" is a step backwards in the management of the DNS?

If you want this sort of check to be effected in ICANN-world domains,
then you need to make this a part of either the ICANN accreditation
agreement or all the ICANN-world registry-registrar agreements.  I am
not optimistic about the chances for success in such an undertaking.

I can think of some other things one could do on this front, as well
-- an obvious one would be to publish regular reports of these
problems, for anyone to see, on the hope that domain name registrants
might look at those reports and undertake to fix their records.  But I
think without demand from registrars for this sort of service, it's
never going to happen.  


Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew at ca.afilias.info>                              M2P 2A8
jabber: ajsaf at jabber.org                 +1 416 646 3304 x4110

More information about the dns-operations mailing list