[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Ralf Weber dns at fl1ger.de
Sat Apr 4 06:59:30 UTC 2020


On 4 Apr 2020, at 6:28, Paul Vixie wrote:
> the economy requires faster, easier takedown of domains. when a 
> delegation is
> revoked due to bad behaviour by a registrant, it has to die 
> _everywhere_
> almost immediately. not sporadically depending on which (above vs. 
> below) NS
> RRset was cached, or on what TTL it had.
> the overwhelming majority of newly created domains are used 
> maliciously, and
> die quickly after short, brutal lives. we have to make them as easy to 
> kill as
> to birth.
> when i saw ralf say that there was "absolutely no reason", i 
> recognized that
> he's living in a very different world (domains are mostly good) than i 
> am
> (domains are mostly bad). we probably won't find common ground.
I actually agree with you that most domains are bad and especially that 
new domains are bad. But from my experience takedown on authorities 
takes so
long (weeks and months) that the additional NS TTL doesn’t really 

If you want to react to bad domains it has to be at the resolver level, 
you there can react fast and have full control. I’ve been doing this 
now for
over a dozen years, even before RPZ was a thing.

So long
Ralf Weber

More information about the dns-operations mailing list