[dns-operations] DNS trust dependencies for ICANN TLDs

Thu Jun 11 06:45:30 UTC 2009

On Wed, Jun 10, 2009 at 10:22 PM, John Kristoff<jtk at cymru.com> wrote:
> I find this very interesting work and thank you for taking the time to
> do this.  I do hope you automate it so your graphs will be current on
> at least a weekly basis.  I think its a worthwhile thing to do.

Thanks.  That was my plan at least. :-)

> This reminds me of the work and discussion that took place related to
> CoDoNS.  If you missed it, here are some relevant links:

Ah, interesting.  I hadn't seen that before, but it is definitely very
similar.  Thanks for pointing it out to me!

> Each of the TLDs are also dependent on the root.

Right.  I omitted this because there's little TLD administrators can
do about this, and it would just add redundant clutter to the graphs.
Similarly, once I add second-level domain names, I'll try to make it
clear what dependencies are due to the TLD's configuration vs. the
second-level domain's configuration.

> There are other
> dependencies, such as the routing infrastructure.

Yeah.  There are a lot of other dependencies not adequately reflected
by the graph.  I'd love to be able to include more, if possible, but I
suspect they're out of the scope I can adequately cover.

> Meanwhile, I
> wouldn't have said "Having implicit trust dependencies is bad".  That
> is kind of obvious really.

Yeah.  I tried to make the page accessible to people without DNS or
security background.  Suggestions on how to better achieve that are
welcome. :-)

> In practice, I don't
> think most if any of the TLDs need to panic over this.  I'd recommend
> they review the graphs and consider them carefully, but in my
> estimation a "fix" might not be as dire as your the web page calls
> for.

Agreed.  Like I mention in the caveats section, .com and .net have
some unnecessary trust dependencies, but they're all controlled by
Verisign; similarly, .org and .info have some unnecessary trust
dependencies, but they're all controlled by Afilias.  I'd like to be
able to recognize these TLDs as well, but I don't know a good a way to
tell that nstld.com and gtld-servers.net are owned by the same people.
 (Of course, there's whois, but each TLD has its own whois output, and
not all are even useful; e.g., .to's.)

> You probably know this, but there are some ccTLDs that use second level
> domains like TLDs, for example, co.uk, ac.uk, etc.  They are not
> likely to eliminate a zone just to reduce the dependency graph.

Yeah.  And as I mentioned above, I plan to eventually start generating
graphs for them as well.  The main issue is I just don't know any way
to automatically enumerate all such second-level domains.  (My current
strategy is to maintain a list by hand, but maybe someone here can
offer a better suggestion.)