[dns-operations] TLDs requiring delegation before delegating

David Ulevitch david at opendns.com
Tue Mar 8 22:34:11 UTC 2011

On Mar 8, 2011, at 1:16 PM, Mark Andrews wrote:

> Now if the COM registry required
> registrars to verify that the zone was configured on the to be
> delegated nameservers before the delegation was accepted, delegations
> like this would be blocked.
> Some TLD's can do this.  Why can't COM?

[ New topic, new thread please... ] -- As someone who has run a large authoritative DNS service and who currently runs the largest recursive DNS service in the world, this is a very bad thing to do and it's annoying when we run into it.  

(1) This requirement is a huge pain point for end-users when TLDs do this.  People like the instant gratification of domain registration without forcing domains to some stupid registrar parked page.
(2) Requiring it removes a DDoS mitigation technique that is made available to operators today, one of the few remaining.  
(3) It would mess up Amazon's Route 53 delegation tricks which are nice for traffic management and for DDoS detection and mitigation.  I expect more and more auth. DNS providers to start doing this.
(4) Delegating to /dev/null is quite handy for reasons even beyond DDoS mitigation.
(5) It accomplishes almost nothing since moments after verifying a delegation, it can be yanked by the authoritative DNS server.

But since you said registrar, not registry, as long as I can still take my TLD business elsewhere, I don't care what annoying registrars do.


More information about the dns-operations mailing list