[dns-operations] The strange case of fox.com

Mark Andrews marka at isc.org
Tue Mar 1 19:57:13 UTC 2016 

In message <22229.45817.765503.674939 at tale.kendall.corp.akamai.com>, David C Lawrence writes:
> Mark Andrews writes:
> > > Verisign as the .com registry should have detected the change?  What
> > > should they have done when they discovered it was broken?
> > 
> > Contact the zone owners to inform them that the delegation is not
> > consistent and to request that they update the approptiate records.
> 
> Alas, the owners were contacted weeks ago and told how to correct it.
> It isn't yet.  Even if Verisign were doing monitoring and notifying as
> you suggest, we'd unfortunately still have the same end result now.

And if the same notice went out with "you have 28 days to correct
this or the delegation will be removed from the com zone" and this
was just followed through what would the effect be?  There are no
checks as balances in the system.  Sometimes you need to break the
zone completely to get the zone fixed.

People will learn to correct delegations.  There will be emails
saying "how do we fix this" and the answers will end up getting
published on the net and search engines will find them.

named refuses to load the zone on lots of configuration errors the
server can detect just by looking at the contents of the zone.  It
took a little while of people asking on bind-users "how do we fix
this" despite trying to have clear messages.  Those questions got
answers which are searchable.  We now get the rare question about
how to fix the issues named refuses to load the zone for.  We also
don't get questions about the operational issues the errors caused
either except when the authoritative servers for the zone and not
ours.

I wish other vendor performs similar checks.  The world would be
better off for it.

Also as more and more people have domains the questions about how
to had glue / update NS records have dropped off.  There is a lot
of knowledge out there today.  The DNS isn't as specialised as it
once was.  Registrars even have video tutorials for how to do this.

There is a whole lot of unwarranted fear about what would happen
if registries actually started enforcing delegation consistency.
We have lived through the DNS going from being a niche skill to
being a commodity product.  It is tainting our level of fear.

Yes, people will complain about registries doing this, but ultimately
this is for the zone owners own good.  People will end up defending
registries that do this and a new better base level of practice
will be established.

Mark

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list