[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode
dougb at dougbarton.email
Sat Apr 4 17:45:49 UTC 2020
On 4/3/20 9:28 PM, Paul Vixie wrote:
> the economy requires faster, easier takedown of domains. when a delegation is
> revoked due to bad behaviour by a registrant, it has to die _everywhere_
> almost immediately. not sporadically depending on which (above vs. below) NS
> RRset was cached, or on what TTL it had.
> the overwhelming majority of newly created domains are used maliciously, and
> die quickly after short, brutal lives. we have to make them as easy to kill as
> to birth.
I agree with you, Paul, on most domains being bad; and that takedowns
are often effective. However this is actually one reason not to prefer
the child TTL, since the bad actors will simply crank up the TTL on
their NS set to the max.
That said, I still want to prefer the child TTL. The parent delegation
is not authoritative, it's just a referral. That was the rationale for
not signing it with DNSSEC (something I violently disagreed with at the
time, and still do).
The child should have the right to determine its own fate. This is
especially true when it comes to preparing for a redelegation, but there
are other reasons of course.
Regarding resolver operators who don't want to obey TTLs that they think
are too short, they already have options to set minimums that work for
them. That combined with the resolver otherwise obeying the child TTL
makes everyone happy (and follows the protocol).
More information about the dns-operations