[dns-operations] DNS trust dependencies for ICANN TLDs
matthew at dempsky.org
Thu Jun 11 06:45:30 UTC 2009
On Wed, Jun 10, 2009 at 10:22 PM, John Kristoff<jtk at cymru.com> wrote:
> I find this very interesting work and thank you for taking the time to
> do this. I do hope you automate it so your graphs will be current on
> at least a weekly basis. I think its a worthwhile thing to do.
Thanks. That was my plan at least. :-)
> This reminds me of the work and discussion that took place related to
> CoDoNS. If you missed it, here are some relevant links:
Ah, interesting. I hadn't seen that before, but it is definitely very
similar. Thanks for pointing it out to me!
> Each of the TLDs are also dependent on the root.
Right. I omitted this because there's little TLD administrators can
do about this, and it would just add redundant clutter to the graphs.
Similarly, once I add second-level domain names, I'll try to make it
clear what dependencies are due to the TLD's configuration vs. the
second-level domain's configuration.
> There are other
> dependencies, such as the routing infrastructure.
Yeah. There are a lot of other dependencies not adequately reflected
by the graph. I'd love to be able to include more, if possible, but I
suspect they're out of the scope I can adequately cover.
> Meanwhile, I
> wouldn't have said "Having implicit trust dependencies is bad". That
> is kind of obvious really.
Yeah. I tried to make the page accessible to people without DNS or
security background. Suggestions on how to better achieve that are
> In practice, I don't
> think most if any of the TLDs need to panic over this. I'd recommend
> they review the graphs and consider them carefully, but in my
> estimation a "fix" might not be as dire as your the web page calls
Agreed. Like I mention in the caveats section, .com and .net have
some unnecessary trust dependencies, but they're all controlled by
Verisign; similarly, .org and .info have some unnecessary trust
dependencies, but they're all controlled by Afilias. I'd like to be
able to recognize these TLDs as well, but I don't know a good a way to
tell that nstld.com and gtld-servers.net are owned by the same people.
(Of course, there's whois, but each TLD has its own whois output, and
not all are even useful; e.g., .to's.)
> You probably know this, but there are some ccTLDs that use second level
> domains like TLDs, for example, co.uk, ac.uk, etc. They are not
> likely to eliminate a zone just to reduce the dependency graph.
Yeah. And as I mentioned above, I plan to eventually start generating
graphs for them as well. The main issue is I just don't know any way
to automatically enumerate all such second-level domains. (My current
strategy is to maintain a list by hand, but maybe someone here can
offer a better suggestion.)
More information about the dns-operations