[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

[Ralf Weber]

Moin!

On 4 Apr 2020, at 6:28, Paul Vixie wrote:
> the economy requires faster, easier takedown of domains. when a 
> delegation is
> revoked due to bad behaviour by a registrant, it has to die 
> _everywhere_
> almost immediately. not sporadically depending on which (above vs. 
> below) NS
> RRset was cached, or on what TTL it had.
>
> the overwhelming majority of newly created domains are used 
> maliciously, and
> die quickly after short, brutal lives. we have to make them as easy to 
> kill as
> to birth.
>
> when i saw ralf say that there was "absolutely no reason", i 
> recognized that
> he's living in a very different world (domains are mostly good) than i 
> am
> (domains are mostly bad). we probably won't find common ground.
I actually agree with you that most domains are bad and especially that 
most
new domains are bad. But from my experience takedown on authorities 
takes so
long (weeks and months) that the additional NS TTL doesn’t really 
matter.

If you want to react to bad domains it has to be at the resolver level, 
as
you there can react fast and have full control. I’ve been doing this 
now for
over a dozen years, even before RPZ was a thing.

So long
-Ralf
—--
Ralf Weber