[dns-operations] Some DNSSEC trivia

Mark Andrews Mark_Andrews at isc.org
Tue Jan 8 23:30:48 UTC 2008 

> On Tue, Jan 08, 2008 at 10:25:57PM +1100, Mark Andrews wrote:
> > 
> > 	Doesn't AFNIC believe in following RFC 1034?
> > 	That REQUIRES periodic checks of delegations.
> > 
> > As the last installation step, the delegation NS RRs and glue RRs
> > necessary to make the delegation effective should be added to the parent
> > zone.  The administrators of both zones should insure that the NS and
> > glue RRs which mark both sides of the cut are consistent and remain so.
> 
> Any time I have proposed any checks of this kind, I have been told
> (not terribly politely) that the ICANN world (and especially the
> registrar-population part of it) considers the management of that DNS
> _data_ to be entirely within their purview.  The registry is just
> supposed to take whatever data the registrars put in there, subject to
> the condition that it must not outright violate the wire protocols in
> question.
> 
> Doing as you propose would move what is really a policy ("enforce
> consistency across zone cuts") from the registrar's area of
> responsibility to the registry's area of responsibility.  Since ICANN
> registries are contractually forbidden from communicating directly
> with registrants, this would create the unhappy situation where
> registries would occasionally have the responsibility of making a name
> dark without the concomitant ability to contact the registrant in
> question in an effort to head off that effect.  Surely "domains seemingly
> randomly go dark" is a step backwards in the management of the DNS?

	The registry *already* have this requirement.  None of them
	became a registry before RFC 1034 was published.  They have
	already bought into the requirement whether they realise
	it or not.

	The requirement is for the check to be performed.  It doesn't
	matter who performs the check.  The registry is required
	to see that they get performed.

	The registry can perform the check and feed the response
	back via the registrar.

	The registrar can perform the check on behalf of the registry.
	
> If you want this sort of check to be effected in ICANN-world domains,
> then you need to make this a part of either the ICANN accreditation
> agreement or all the ICANN-world registry-registrar agreements.  I am
> not optimistic about the chances for success in such an undertaking.

	Or just can ICANN.  If they can't *manage* their the DNS
	properly they shouldn't have the job.

> I can think of some other things one could do on this front, as well
> -- an obvious one would be to publish regular reports of these
> problems, for anyone to see, on the hope that domain name registrants
> might look at those reports and undertake to fix their records.  But I
> think without demand from registrars for this sort of service, it's
> never going to happen.  
> 
> A
> 
> -- 
> Andrew Sullivan                         204-4141 Yonge Street
> Afilias Canada                        Toronto, Ontario Canada
> <andrew at ca.afilias.info>                              M2P 2A8
> jabber: ajsaf at jabber.org                 +1 416 646 3304 x4110
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list