[dns-operations] Fwd: Re: [Security] Glue or not glue?

Mark Andrews marka at isc.org
Wed Jun 10 01:09:45 UTC 2015 

In message <557784D1.3050907 at easydns.com>, "Mark E. Jeftovic" writes:
> 
> 
> Mark Andrews wrote:
> 
> > Additionally there are "risks" with both strategies.  If you have
> > vanity names then you have the risk of not updating all the glue
> > records when you renumber the nameservers.
> > 
> > The biggest issue is not having delegations checked by all parties
> > involved in the delegation.  Checks catch errors and the DNS has a
> > high error rate with delegation being broken due to this lack of
> > checking.
> > 
> 
> Agree, we have been diligently trying to dissuade users from using
> vanity nameservers whenever we can. Alas, the fact that people can
> arbitrarily create vanity nameservers pointing at IPs they don't operate
> is a long standing beef.
> 
> It goes back to an old wish I've expressed in the past that there needs
> to be some kind of nameserver operator protocol where ops can have some
> degree of control over entities that get delegated to them (from
> external registrars) or host entities using their IPs.

It exists "dig SOA zone @server" and if you get back a SOA record
for the zone with the "aa" bit set then you are good to go.  This
check is supposed to be made BEFORE the delegation is completed.
Unfortunately people complain when a delegation is not completed
in 0.0001ms after hitting submit so all checking just skipped.

If you want this to change behavior sue the registry and registrar
for not doing "due dilegence" before adding the NS record because
they are not going to pay attention any other way it seems.  Contracts
can't save them as you, as a nameserver operator, are not party to
the the contract between the registry / registrar or registrar /
registrant.

One or two successful suites will change this behaviour.


> But I don't see it happening.
> 
> - mark
> 
> -- 
> Mark E. Jeftovic <markjr at easydns.com>
> Founder & CEO, easyDNS Technologies Inc.
> +1-(416)-535-8672 ext 225
> Read my blog: http://markable.com
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list