[dns-operations] The strange case of fox.com

Mark Andrews marka at isc.org
Tue Mar 1 01:41:04 UTC 2016

In message <56D4E7A8.7060005 at redbarn.org>, Paul Vixie writes:
> Mark Andrews wrote:
> > In message<56D47005.20206 at redbarn.org>, Paul Vixie writes:
> >> it's never been practical for a registry to check the NS RR's of its
> >> delegated child apexes. i think that both registrars and registrants
> >> should do so, and would do so if there were better tooling available.
> >
> > For each NS registered in whois / parent zone
> > 	dig NS +norec zone +short @NS | tr '[A-Z]' '[a-z]' | sort
> > 	if (NS set does not match)
> > 		flag for followup where followup involved re-testing
> > 			after X hours then sending email to contacts
> > 			for zone.
> >
> > This is not rocket science.  The tools have existed to do this for
> > decades now.
> mark, we aren't working in the same company now, so let me say something 
> that's been on my mind for quite a few years now.
> you are smarter than almost everybody, and almost everything is easy for 
> you. please stop pretending that it isn't so, or that you don't know it.
> it god damned is god damned rocket god damned science. stop pretending 
> that these tools are adequate for any significant percentage of 
> registrars or registrants, because it's not, and i think you know it.

This boils down to checking two list of names to see if they are
the same.  We have tools that will give you the lists.  I could ask
a 12 year old if two list of names are the same and get the correct

No, this is not rocket science and never has been.

Designing the tools to do the lookup in the first place was but we
have the tools to do that and they have existed in one form or
another since RFC 1034 was written.  They existed in 1992 when I
started working on the DNS.

This is nothing more than text processing which lots of non-scientists
have been doing for centuries.  There is nothing here which businesses
have not been doing for centuries in one form or another.  Does the
list of goods you got match the list of goods you ordered?

No, this is not rocket science.  Just because you get the answer
from the DNS does not make it rocket science.  If there was any
thought that this was rocket science the proceedures for checking
the names and addresses would have been specified.

> > As for whether the Registry / Registrar performs the actual looks
> > I don't care.  The Registry is clearly responsible for ensuring
> > that they get performed as they are responsible for the overall
> > operations of the parent zone.
> no, in two ways.
> if you're .DE and you have 50M delegations you're not going to be 
> checking them. for .COM at 100M delegations it's worse.

These are all checkable.  It doesn't take massive resources to make
the checks.

> also, ICANN does not allow the registry to take action if it knows that 
> a delegation is bad. no action, including not notifying registrars or 
> registrants, and especially not including changing or suspending the 
> delegation.

Which just means ICANN stuffed up.

> -- 
> P Vixie
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list