[dns-operations] The strange case of fox.com

Wed Mar 2 18:04:51 UTC 2016

On Wed, Mar 02, 2016, marius at isgate.is <marius at isgate.is> wrote:
> Totally agree.
> 
> We have been enforcing delegation requirements on our registrants for
> over 25 years (from the beginning of the .is registry - modelled after
> .fr at the time) and have observed considerable improvement. Although 
> we are a very small registry we do believe our methods would 
> scale easily to larger registries.
> 
> We feel strongly that as a registry we must serve not only the
> registrants (our direct customers) but also those that use 
> DNS to look up these registrant's domains. 
> 
> After delegation all domains are checked once a month and with
> the current setup we are checking about 1 domain per second 
> (thus could scale to ~2M domains with the same setup.) If the domain
> no longer satisfies the .is requirements, it is tested weekly
> for eight weeks and progressively more of the domain's contacts
> informed of the problem (starting with the domain's zone contact
> which is assumed to be the operator of the domain's master nameserver). 
> If the problem persists for over 8 weeks, the delegation is removed.
> 
> We have found that over the years, more and more of our registrants
> (or their zone contacts) are grateful for the notification 
> (as opposed to annoyed) and most have no problem fixing the faults 
> with their authoritative NS setup or moving their DNS hosting services 
> elsewhere. 

It's funny you bring you up the .is delegation checks because I've had
a poor experience with them recently.

I run three of my own nameservers and configured my domains at .is to
use those nameservers. Everything was fine for a year until the .is
registry started complaining about timeouts reaching one of the
servers.

I confirmed the server was working and responding to queries correctly
from multiple network locations. I even tried some web services which do
DNS queries from dozens of locations around the world, all were fine.

I can only imagine there is a network problem that exists solely between
the .is NIC and the particular ISP I'm using for that one nameserver.

There doesn't appear to be any way to contact the NIC about
troubleshooting this issue. My ISP can't do anything without details
about what network the problems are coming from. It's a frustrating
situation to be in as a customer.

I ended up just removing that one nameserver from just my .is domain
names.

Since it looks like the .is NIC is the only one having problems
contacting that nameserver, their policy appears to have had the
opposite effect. Instead of making DNS faster and more reliable, it's
forced me to remove a nameserver which works for the vast majority of
the Internet. Sure, it's just a couple of low-volume domains, but it's
still frustrating.

JE