[dns-operations] TLDs proudly requiring technical tests before delegating

Wed Mar 9 15:57:51 UTC 2011

On Mar 9, 2011, at 12:17 AM, Stephane Bortzmeyer wrote:

> On Tue, Mar 08, 2011 at 02:34:11PM -0800,
> David Ulevitch <david at opendns.com> wrote 
> a message of 26 lines which said:
> 
>> (2) Requiring it removes a DDoS mitigation technique that is made
>> available to operators today, one of the few remaining.  
> 
> Could you elaborate? I am not aware of a DDoS mitigation technique
> which is disabled by mandatory technical tests before delegation.
> 
>> (3) It would mess up Amazon's Route 53 delegation tricks which are
>> nice for traffic management and for DDoS detection and mitigation.
> 
> Same question.
> 
>> (4) Delegating to /dev/null is quite handy for reasons even beyond
>> DDoS mitigation.
> 
> Are you sure you don't mix registration with delegation? I see the
> point of registering without delegating, I completely fail to see why
> delegating to 127.0.0.1 or 8.8.8.8 could be useful.

For all of the above:  When you can point the delegation of an abusive domain to 127.0.0.1 and take it off your infrastructure, it's a big win.  Enough DDoS's follow DNS changes to make this useful.  And when you have 10,000+ domains pointed at you that all send a small amount of traffic all the time, it's adds up to a lot of garbage.  That said, registration without delegation, or being able to remove delegation would be just as satisfactory.  I didn't know that existed, though some folks have informed me off-list it does for some TLDs. 

This is the same reason why I would be unlikely to ever start a (free) authoritative DNS company again unless I was the registrar for every domain that was delegated to me. This is also the same reason I would love (but never expect) to have the ability to say "Hey registry, I'm the delegated nameserver for this zone but I don't want to be, stop delegating to me."  

> 
>> (5) It accomplishes almost nothing since moments after verifying a
>> delegation, it can be yanked by the authoritative DNS server.
> 
> Tests done with our DNSdelve tool <http://www.dnsdelve.net/> show
> that, one year after registration, more than 90 % of the .FR domains
> still pass the technical tests.

Would be interesting to know what the % of working domains for a similarly sized TLD without rigorous registration checks look like.

> Disclaimers: .FR require successful technical tests before delegation
> takes place. They are done with the Zonecheck tool
> <http://www.zonecheck.fr/>. registration != delegation. We have not
> one domain with 8.8.*.* as a name server. The tests are obviously done
> by the registry, not by the registrars.

I know -- I had to have special code for .fr zones that ensured SOAs were consistent across nameservers, annoying as an operator but not a big deal. :-)

-David