[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Doug Barton dougb at dougbarton.email
Sat Apr 4 17:45:49 UTC 2020


On 4/3/20 9:28 PM, Paul Vixie wrote:

> the economy requires faster, easier takedown of domains. when a delegation is
> revoked due to bad behaviour by a registrant, it has to die _everywhere_
> almost immediately. not sporadically depending on which (above vs. below) NS
> RRset was cached, or on what TTL it had.
> 
> the overwhelming majority of newly created domains are used maliciously, and
> die quickly after short, brutal lives. we have to make them as easy to kill as
> to birth.

I agree with you, Paul, on most domains being bad; and that takedowns 
are often effective. However this is actually one reason not to prefer 
the child TTL, since the bad actors will simply crank up the TTL on 
their NS set to the max.

That said, I still want to prefer the child TTL. The parent delegation 
is not authoritative, it's just a referral. That was the rationale for 
not signing it with DNSSEC (something I violently disagreed with at the 
time, and still do).

The child should have the right to determine its own fate. This is 
especially true when it comes to preparing for a redelegation, but there 
are other reasons of course.

Regarding resolver operators who don't want to obey TTLs that they think 
are too short, they already have options to set minimums that work for 
them. That combined with the resolver otherwise obeying the child TTL 
makes everyone happy (and follows the protocol).

Doug


More information about the dns-operations mailing list