[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Patrik Fältström patrik at frobbit.se
Tue Jan 8 18:46:59 UTC 2008

On 8 jan 2008, at 18.28, Niall O'Reilly wrote:

> 	What you describe seems to match fairly closely something I've
> 	seen out there on the Web.  I'll forward this off-list to the
> 	person involved, as it's for him rather than for me to say anything
> 	about it.

I might be one of the persons that have written such a tool (http://dnscheck.se 
) you think of and I know many other have as well (.SE have rewritten  
my tool in better code, .FR have theirs etc).

But, part from the discussion among DNS-technies of "what is a correct  
delegation", there is also a much more important discussion on what  
responsibility what party has for the delegation. Remember we have in  
many cases not only the registry and the domain name holder, but also  
the registrar and the tech-c (the party running the DNS). And if an  
error is found (by someone), what should happen? Should as a last  
resort the domain be withdrawn?

I have seen these discussions pop up every 2nd year or so though, and  
I think personally that what a registry can do is to check at time of  
registration the correctness of the delegation (note that I am saying  
delegation here, and not registration as I think those are two  
different things). Then the registry can have as a service to check  
the delegation for the registrant. But, that should be an opt in.  
There is nothing as frustrating as a domain name holder that want to  
run a domain a certain way, and that registrant still get pokes from  
the registry on "what is correct" when the registry and registrant  
disagree on what is correct.

We have also had that discussion regarding ENUM, as there are  
legislative rules here and there on the responsibility on call  
completion which suddenly include DNS resolution.

Result has been the same -- noone know what is correct, but having the  
registry "just" checking, warning and penalizing some registrant is  
not the right thing to do. IMHO.


More information about the dns-operations mailing list