[dns-operations] DNSSEC, IPv6 glue, multiple DNS servers, and eating your own dog food

Mark Andrews marka at isc.org
Mon Jul 23 09:13:53 UTC 2012


In message <028D967E-4067-4FB3-8766-A722DC49488A at dtnx.net>, DTNX Postmaster wri
tes:
> On Jul 21, 2012, at 00:56, Vernon Schryver wrote:
> 
> > An obvious filter for prospective registrars occurred to me at this,
> > nearly the end of my week long efforts to get my trivial domains
> > signed.
> > 
> > A registrar that does not have DS records for its main domain names
> > might lack experience dealing with DNSSEC registrations.
> > 
> > A registrar whose main domains lack AAAA records for any NS names might
> > lack real world information about IPv6 glue.
> > 
> > A registrar or reseller that does not have have a WHOIS record with
> > a minimal set of servers or at least NS records might lack empathy
> > for those of us who think such things are a good idea.
> > 
> > You don't need to ask people at the registrar.
> > `dig example.com ds`, `dig example.com aaaa`, and `dig example.com ns`
> > can give more authoritative answers than anything people might say.
> > 
> > Its funny but not amusing that those commands give better results
> > for the unreal example.com than for any of the registrars that I
> > recall being mentioned here recently.  This should be particularly
> > embarrassing for one of them.
> > 
> > I tried several other registrars on
> > http://www.dotandco.net/ressources/icann_registrars/details/position.en
> > and found *none* that could pass that trivial filter.
> > Talk about a race to the bottom!
> 
> Apologies if this is an obvious thing, but what is the benefit of 
> publishing a DS record within the zone itself? Shouldn't they be 
> published within the parent zone?
> 
> Thanks,
> Jona

Yes they get published in the parent zone.  Their lack is still the
registrars responsability once the parent zone accepts secure
delegation just like it the registrars' responsability if the NS
RRsets mismatch or if their glue records are out of date.  Note
this does not mean the registry is not also responsible for checking
and seeking that corrections are made.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list