[dns-operations] Fwd: Re: [Security] Glue or not glue?
calvin at orange-tree.alt.za
calvin at orange-tree.alt.za
Wed Jun 10 10:16:18 UTC 2015
Mark Andrews wrote:
> Message: 7 Date: Wed, 10 Jun 2015 11:09:45 +1000 From: Mark Andrews
> <marka at isc.org> To: "Mark E. Jeftovic" <markjr at easydns.com> Cc:
> dns-operations at dns-oarc.net Subject: Re: [dns-operations] Fwd: Re:
> [Security] Glue or not glue? Message-ID:
> <20150610010946.8A5E1304675D at rock.dv.isc.org> <SNIP>
> It exists "dig SOA zone @server" and if you get back a SOA record
> for the zone with the "aa" bit set then you are good to go. This
> check is supposed to be made BEFORE the delegation is completed.
> Unfortunately people complain when a delegation is not completed
> in 0.0001ms after hitting submit so all checking just skipped.
In co.za we do this before delegating to NS's. The registration proceeds
irrespective.
On EPP, we queue the checks, the legacy email interface it just gets
rejected.
Do we get it in the neck:
"Don't tell us how to run our NS's"
"Our system doesn't work that way"
"We can't provision our NS's so fast"
"Our hosting provider won't put stuff in their NS's until it's in the
Registry"
"No one else does this"
and others.....
>
> If you want this to change behavior sue the registry and registrar
> for not doing "due dilegence" before adding the NS record because
> they are not going to pay attention any other way it seems. Contracts
> can't save them as you, as a nameserver operator, are not party to
> the the contract between the registry / registrar or registrar /
> registrant.
>
> One or two successful suites will change this behaviour.
>
+1
--Calvin
More information about the dns-operations
mailing list