[dns-operations] TLDs proudly requiring technical tests before delegating
David Ulevitch
david at opendns.com
Wed Mar 9 15:57:51 UTC 2011
On Mar 9, 2011, at 12:17 AM, Stephane Bortzmeyer wrote:
> On Tue, Mar 08, 2011 at 02:34:11PM -0800,
> David Ulevitch <david at opendns.com> wrote
> a message of 26 lines which said:
>
>> (2) Requiring it removes a DDoS mitigation technique that is made
>> available to operators today, one of the few remaining.
>
> Could you elaborate? I am not aware of a DDoS mitigation technique
> which is disabled by mandatory technical tests before delegation.
>
>> (3) It would mess up Amazon's Route 53 delegation tricks which are
>> nice for traffic management and for DDoS detection and mitigation.
>
> Same question.
>
>> (4) Delegating to /dev/null is quite handy for reasons even beyond
>> DDoS mitigation.
>
> Are you sure you don't mix registration with delegation? I see the
> point of registering without delegating, I completely fail to see why
> delegating to 127.0.0.1 or 8.8.8.8 could be useful.
For all of the above: When you can point the delegation of an abusive domain to 127.0.0.1 and take it off your infrastructure, it's a big win. Enough DDoS's follow DNS changes to make this useful. And when you have 10,000+ domains pointed at you that all send a small amount of traffic all the time, it's adds up to a lot of garbage. That said, registration without delegation, or being able to remove delegation would be just as satisfactory. I didn't know that existed, though some folks have informed me off-list it does for some TLDs.
This is the same reason why I would be unlikely to ever start a (free) authoritative DNS company again unless I was the registrar for every domain that was delegated to me. This is also the same reason I would love (but never expect) to have the ability to say "Hey registry, I'm the delegated nameserver for this zone but I don't want to be, stop delegating to me."
>
>> (5) It accomplishes almost nothing since moments after verifying a
>> delegation, it can be yanked by the authoritative DNS server.
>
> Tests done with our DNSdelve tool <http://www.dnsdelve.net/> show
> that, one year after registration, more than 90 % of the .FR domains
> still pass the technical tests.
Would be interesting to know what the % of working domains for a similarly sized TLD without rigorous registration checks look like.
> Disclaimers: .FR require successful technical tests before delegation
> takes place. They are done with the Zonecheck tool
> <http://www.zonecheck.fr/>. registration != delegation. We have not
> one domain with 8.8.*.* as a name server. The tests are obviously done
> by the registry, not by the registrars.
I know -- I had to have special code for .fr zones that ensured SOAs were consistent across nameservers, annoying as an operator but not a big deal. :-)
-David
More information about the dns-operations
mailing list