[dns-operations] Speaking of fixing things...

Olafur Gudmundsson ogud at ogud.com
Fri Nov 6 13:50:09 UTC 2020 


> On Oct 30, 2020, at 1:46 PM, Brian Dickson <brian.peter.dickson at gmail.com> wrote:
> 
> Hi, Victor,
> Would you mind checking the list for domains with broken signed delegations to anything matching *.domaincontrol.com <http://domaincontrol.com/> (GoDaddy's nameservers), including categorization (e.g. lame NS, vs non-lame NS with broken signature)?
> My suspicion is there may be a bunch of lame delegations, and knowing which TLDs (and if possible domains!) would be greatly appreciated.
> Cleaning up lame delegations is neither easy nor fast, but we do want to actually clean them up.
> 

HI Victor,
Thanks for bringing this up. 

Can you send me the list for domains under ns.cloudflare.com <http://ns.cloudflare.com/> 

> (The root issue is there is currently no path for the delegatee to get the lame delegation removed. None. Nada. :-( )
> 


CDS was supposed to address this but as you say it does not work when domain becomes lame or when operator is changed w/o removing/updating the old DS records. 

There are many reasons why a domain can go lame including other  that the domain is kicked off a system for non-payment, policy violations, etc.

> Thanks,
> Brian
> 
> On Thu, Oct 29, 2020 at 10:59 PM Viktor Dukhovni <ietf-dane at dukhovni.org <mailto:ietf-dane at dukhovni.org>> wrote:
> I have a list of ~69k domain names with extant DS RRsets, where the
> DNSKEY RRset has been either unavailable or failing validation for 180
> days or more (92k domains if the bar is set to 90 days).  These span 439
> TLDs!  Of these domains, ~30k are simply lame and zone apex NS lookups
> fail even with CD=1.  The remaining ~39k likely have DNSSEC-specific
> misconfiguration.
> 
The question that needs to be asked is this 69K number unreasonable ?

There are many reasons why a domain can go lame including other  that the domain is kicked off a system for non-payment, policy violations, etc. 
As for the DNSSEC-specific misconfigurations there are probably two main reasons 
a) Signing not working 
b) Automated key rollover not reflected in DS 

A interesting question is how many of those “problems” are solved when the domain registration expires ? 
Or the converse question have any of those domains been renewed in the last 180  days ? 
which brings up another question does the TLD make a difference on renewal of lame domains ?

Olafur


> The top 25 TLDs by count of long-term dead signed delegations are:
> 
>   24742 com
>    9258 nl
>    5357 se
>    4553 cz
>    2897 net
>    2763 eu
>    2044 pl
>    1661 org
>    1070 no
>    1035 hu
>     992 fr
>     916 nu
>     731 uk
>     701 info
>     594 be
>     562 ch
>     557 xyz
>     552 de
>     421 es
>     349 sk
>     346 dk
>     321 app
>     282 io
>     250 biz
>     240 pt
> 
> If any of the TLDs have policies that allow the deadwood to be delisted
> (still registered, but not delegated) I can provide the list of
> domains...  It would be nice to see less breakage in the live zones.
> 
> -- 
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations <https://lists.dns-oarc.net/mailman/listinfo/dns-operations>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201106/2a220a61/attachment.html>

More information about the dns-operations mailing list