[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Mark Andrews Mark_Andrews at isc.org
Thu Jan 10 06:25:05 UTC 2008


> > 	ISC does its part.  We make it very hard to load bad data
> > 	into DNS.  We enforce what is practical to enforce in a
> > 	nameserver.
> 
> maybe we could add an option, defaulting to off, that would have a server
> periodically walk the tree from the root to itself, checking for above/below
> deltas across each delegation, and checking for lameness?
> 
> in other words, are we looking at this wrong, saying that lameness is a
> parent's problem?  maybe if we say it's a child's problem, and do what we
> can to help zone operators run better child zones, our part can be bigger?

	The part of RFC 1034 I quoted puts the responsability on
	*both* parties in the delegation.

	I'm pushing the registries at this stage because they, on
	the whole, have been neglecting their responsabilities.
	There are other nameservers than BIND that are excessively
	permissive or just plain out break compliance.

	Child zone operaters will ignore problem reported to them
	(particularly in logs) until a zone fails to load or a
	delegation is pulled.

	Mark

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list