[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Mark Andrews Mark_Andrews at isc.org
Wed Jan 9 23:22:51 UTC 2008 

> On Wed, 09 Jan 2008, Patrik Fltstrm wrote:
> > But, back to what I have found the harder question during the years,  
> > and that is what should happen if the tests fail? Should the  
> > delegation be withdrawn?
> 
> On Wed, 09 Jan 2008, Mark Andrews wrote:
> > 	I'd say that you give them a grace period to correct the
> > 	faults then withdraw the delegation if the faults are not
> > 	fixed.  If you want to be in the DNS then you need to supply
> > 	correctly configured, rfc compliant nameservers.
> > 
> > 	If you are incapable of operating a nameserver correctly there
> > 	are companies that are capable of doing it for you.
> 
> On Wed, 09 Jan 2008, Paul Vixie wrote:
> > ideally the name would continue to be reserved, and held by the registrant,
> > but the NS RRs would no longer be published, or would be changed to point
> > to a nameserver inside the registry which always returned SERVFAIL.  this
> > would prevent queries from having to time out, it would give the registry
> > a chance to measure the traffic, and it would prevent someone from pirating
> > the original nameserver's IP address and thus taking over someone's zone.
> 
> Whenever the topic of checking delegations comes up, I am absolutely
> astounded that people have reactions such as this: that you actually
> seriously think a registry should take action to suspend, revoke, put
> on hold or otherwise change a delegation that a customer has paid for.

	The customer has agreed to supply a RFC compliant nameserver
	and configure it to serve a zone.  The customer is not
	keeping up with their end of the contract.  It is perfectly
	resonable if one end is not meeting their requirements to
	withdraw service after notification to do so.

	This is not "I see a error, turn them off".  This is I see
	a error, I inform you of the error and give you a reasonable
	period to fix it.  If it is not fixed then I turn you off.

	These errors cause operation problems for your clients
	clients.  You are doing them a service by turning them off.
	Yes it is a hard lessen but once the service is restored
	it will be better for the client than it was before.

> As Andrew already pointed out, the legal ramifications are
> mind-boggling.  I could understand such a reaction if the topic were
> botnets or fraud or something equivalently serious.  But a lame
> delegation?  Give me a break.  It's not hurting anything in the grand
> scheme of things.  We have much, much bigger fish to fry.
> 
> Matt
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list