[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)
mlarson at verisign.com
Wed Jan 9 19:22:41 UTC 2008
On Wed, 09 Jan 2008, Patrik Fltstrm wrote:
> But, back to what I have found the harder question during the years,
> and that is what should happen if the tests fail? Should the
> delegation be withdrawn?
On Wed, 09 Jan 2008, Mark Andrews wrote:
> I'd say that you give them a grace period to correct the
> faults then withdraw the delegation if the faults are not
> fixed. If you want to be in the DNS then you need to supply
> correctly configured, rfc compliant nameservers.
> If you are incapable of operating a nameserver correctly there
> are companies that are capable of doing it for you.
On Wed, 09 Jan 2008, Paul Vixie wrote:
> ideally the name would continue to be reserved, and held by the registrant,
> but the NS RRs would no longer be published, or would be changed to point
> to a nameserver inside the registry which always returned SERVFAIL. this
> would prevent queries from having to time out, it would give the registry
> a chance to measure the traffic, and it would prevent someone from pirating
> the original nameserver's IP address and thus taking over someone's zone.
Whenever the topic of checking delegations comes up, I am absolutely
astounded that people have reactions such as this: that you actually
seriously think a registry should take action to suspend, revoke, put
on hold or otherwise change a delegation that a customer has paid for.
As Andrew already pointed out, the legal ramifications are
mind-boggling. I could understand such a reaction if the topic were
botnets or fraud or something equivalently serious. But a lame
delegation? Give me a break. It's not hurting anything in the grand
scheme of things. We have much, much bigger fish to fry.
More information about the dns-operations