[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode
dns at fl1ger.de
Sat Apr 4 06:59:30 UTC 2020
On 4 Apr 2020, at 6:28, Paul Vixie wrote:
> the economy requires faster, easier takedown of domains. when a
> delegation is
> revoked due to bad behaviour by a registrant, it has to die
> almost immediately. not sporadically depending on which (above vs.
> below) NS
> RRset was cached, or on what TTL it had.
> the overwhelming majority of newly created domains are used
> maliciously, and
> die quickly after short, brutal lives. we have to make them as easy to
> kill as
> to birth.
> when i saw ralf say that there was "absolutely no reason", i
> recognized that
> he's living in a very different world (domains are mostly good) than i
> (domains are mostly bad). we probably won't find common ground.
I actually agree with you that most domains are bad and especially that
new domains are bad. But from my experience takedown on authorities
long (weeks and months) that the additional NS TTL doesn’t really
If you want to react to bad domains it has to be at the resolver level,
you there can react fast and have full control. I’ve been doing this
over a dozen years, even before RPZ was a thing.
More information about the dns-operations