[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Paul Vixie paul at vix.com
Thu Jan 10 00:25:07 UTC 2008


lots of back-and-forth on this, in terms of what standards are written,
which contracts require conformance to what maybe-unwritten standards,
whose costs are greater, and so on.  but nothing to change my mind from
Message-ID <52361.1199812793 at sa.vix.com>, wherein i said:

> i think ICANN has to ask the community what it wants here, and that the
> answers is likely to be "lame delegations are bad" and "inadequate technical
> contact information is bad".  if i'm right about those predictions, then
> contracts and RFC's and whatnot can be crafted to allow a massive cleanup of
> authority DNS data to be done.  (perhaps we can also place an upper limit on
> the number of times a zone's NS RR or a nameserver's A RR can change per
> day, like, say, 1?)
> 
> in other words, don't treat the policies as immutable.  steve crocker's
> ICANN SSAC is full of well meaning busibodies with too much time on our
> hands.  any well reasoned observations/proposal on this topic would get a
> fair hearing, and while it might take a long time before IETF and the ICANN
> board get solid recommendations/results to act on, the fact is, we and the
> internet are going to get that much older in that time whether we're working
> on this or not.

and also:

> what i'm extracting from this thread so far is, we need better tools, and we
> need better policies, if we want to start pulling the weeds in the authority
> DNS field.  (weeds in this context means flakey/lame delegations.)

but i will say that the fearful certainty and doubt about what others will
think (which is the most powerful inertial force on the information super
highway) tells me that if ISC were to focus any tools effort on this, we'd
best do it from the non-registry point of view, that is, the "grass roots".
so, if a registrant wanted BIND to sanity-check all parent delegations for
known zones, and report them locally, that could do a lot of good.  whereas
tools for registries or registrars either won't get used or won't help.  ouch.



More information about the dns-operations mailing list