[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Matt Larson mlarson at verisign.com
Wed Jan 9 19:22:41 UTC 2008

On Wed, 09 Jan 2008, Patrik Fltstrm wrote:
> But, back to what I have found the harder question during the years,  
> and that is what should happen if the tests fail? Should the  
> delegation be withdrawn?

On Wed, 09 Jan 2008, Mark Andrews wrote:
> 	I'd say that you give them a grace period to correct the
> 	faults then withdraw the delegation if the faults are not
> 	fixed.  If you want to be in the DNS then you need to supply
> 	correctly configured, rfc compliant nameservers.
> 	If you are incapable of operating a nameserver correctly there
> 	are companies that are capable of doing it for you.

On Wed, 09 Jan 2008, Paul Vixie wrote:
> ideally the name would continue to be reserved, and held by the registrant,
> but the NS RRs would no longer be published, or would be changed to point
> to a nameserver inside the registry which always returned SERVFAIL.  this
> would prevent queries from having to time out, it would give the registry
> a chance to measure the traffic, and it would prevent someone from pirating
> the original nameserver's IP address and thus taking over someone's zone.

Whenever the topic of checking delegations comes up, I am absolutely
astounded that people have reactions such as this: that you actually
seriously think a registry should take action to suspend, revoke, put
on hold or otherwise change a delegation that a customer has paid for.

As Andrew already pointed out, the legal ramifications are
mind-boggling.  I could understand such a reaction if the topic were
botnets or fraud or something equivalently serious.  But a lame
delegation?  Give me a break.  It's not hurting anything in the grand
scheme of things.  We have much, much bigger fish to fry.


More information about the dns-operations mailing list