[dns-operations] The strange case of fox.com

Paul Vixie paul at redbarn.org
Tue Mar 1 00:51:52 UTC 2016

Mark Andrews wrote:
> In message<56D47005.20206 at redbarn.org>, Paul Vixie writes:
>> it's never been practical for a registry to check the NS RR's of its
>> delegated child apexes. i think that both registrars and registrants
>> should do so, and would do so if there were better tooling available.
> For each NS registered in whois / parent zone
> 	dig NS +norec zone +short @NS | tr '[A-Z]' '[a-z]' | sort
> 	if (NS set does not match)
> 		flag for followup where followup involved re-testing
> 			after X hours then sending email to contacts
> 			for zone.
> This is not rocket science.  The tools have existed to do this for
> decades now.

mark, we aren't working in the same company now, so let me say something 
that's been on my mind for quite a few years now.

you are smarter than almost everybody, and almost everything is easy for 
you. please stop pretending that it isn't so, or that you don't know it.

it god damned is god damned rocket god damned science. stop pretending 
that these tools are adequate for any significant percentage of 
registrars or registrants, because it's not, and i think you know it.

> As for whether the Registry / Registrar performs the actual looks
> I don't care.  The Registry is clearly responsible for ensuring
> that they get performed as they are responsible for the overall
> operations of the parent zone.

no, in two ways.

if you're .DE and you have 50M delegations you're not going to be 
checking them. for .COM at 100M delegations it's worse.

also, ICANN does not allow the registry to take action if it knows that 
a delegation is bad. no action, including not notifying registrars or 
registrants, and especially not including changing or suspending the 

P Vixie

More information about the dns-operations mailing list