[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Paul Vixie paul at vix.com
Thu Jan 10 06:42:35 UTC 2008

> > in other words, are we looking at this wrong, saying that lameness is a
> > parent's problem?  maybe if we say it's a child's problem, and do what we
> > can to help zone operators run better child zones, our part can be bigger?
> 	The part of RFC 1034 I quoted puts the responsability on
> 	*both* parties in the delegation.

so you've said.  others think it doesn't mean what you think it means.  still
others say it doesn't matter what it means because parent-driven checks are
not useful in the root, tld, or registry cases, since there's no way to do
parent-driven change or revocation.

what i think is that in the case where a parent has administrative control
over a child in meatspace not just in cyberspace, like isc.org has over
dv.isc.org, then parent-driven checks are useful.  but no matter who your
parent is, child-driven checks are useful.

> 	I'm pushing the registries at this stage because they, on
> 	the whole, have been neglecting their responsabilities.
> 	There are other nameservers than BIND that are excessively
> 	permissive or just plain out break compliance.

if you want to change the rules that registries and registrars have to
follow, for the good of the internet, then you'll have to begin in IETF
DNSOP, since that's who IANA and ICANN will listen to when setting the
requirements during contract renewal.

but note, country code delegations are ungoverned.  countries, having national
autonomy, will do whatever they damn well please, including telling the root
one thing and putting something completely different in their zone apexes.  we
can complain all we want, but ICANN will never have enforcement powers over
country code delegations.  to the extent that some cctld's are "registries",
our best hope is to educate and influence them to do the right thing, which
again depends on IETF DNSOP, and to give them the tools they need to know
whether they and their child zones are doing the right thing, which again
depends on more and better tools with/within ISC BIND.

> 	Child zone operaters will ignore problem reported to them
> 	(particularly in logs) until a zone fails to load or a
> 	delegation is pulled.

perhaps if we write some good RFCs and good code, we can get child zone
operators to know what the right thing is, know whether they're doing the
right thing, and know how to do the right thing.  google for "aesop sun and
wind" for more information on this approach i'm recommending.

More information about the dns-operations mailing list