[dns-operations] policy to prevent glue for "bogus" IP addresses

[Paul Vixie]

Jim Reid wrote:
> On 11 Sep 2015, at 11:04, Paul Vixie <paul at redbarn.org> wrote:
>
>> i'd like ICANN to require their registrars to get it right.
>
> The registrar pool is too diffuse for that to work IMO. And logistically, it would be impractical: thousands of contract changes and a mountain of work for ICANN's compliance people.

icann now has a staff of 300 and a budget of USD 100MM. this is quite
practical for them, and it's central to their remit (technical
coordination). so, i disagree with your assessment above.

>  An easier, but still troublesome, approach would be for gTLD registries to prevent hostname objects which have special-purpose locally scoped IP addresses. Getting a contract change along these lines through the ICANN machinery will also be a challenge.

hostname objects aren't the problem. "DEV" for example is not a
registered hostname in ICANN. i know from experience that there are
already great controls in place for hostnames referenced by TLD NS
records. what i'm asking for here is controls for delegations of
registered names.

note that we already know we can't demand accurate whois, accountability
of registrants, or timely removal of names used in network abuse or
criminal activities. ICANN is structurally powerless toward those
factors. that's why DNS RPZ exists (see https://dnsrpz.info/) -- we're
placing defenses at the near end which would be far more effective and
economical at the far end. i do NOT want to have to take the same
approach with NS->(AAAA|A) chains that point into
unadvertised/unreachable/local address space.

this is a great topic for ICANN SSAC to consider, similar to what they
did for search lists.

-- 
Paul Vixie