<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Mar 2, 2016 at 8:00 AM, <span dir="ltr"><<a href="mailto:marius@isgate.is" target="_blank">marius@isgate.is</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> There is a whole lot of unwarranted fear about what would happen<br>
> if registries actually started enforcing delegation consistency.<br>
> We have lived through the DNS going from being a niche skill to<br>
> being a commodity product. It is tainting our level of fear.<br>
><br>
> Yes, people will complain about registries doing this, but ultimately<br>
> this is for the zone owners own good. People will end up defending<br>
> registries that do this and a new better base level of practice<br>
> will be established.<br></span><br>
We have been enforcing delegation requirements on our registrants for<br>
over 25 years (from the beginning of the .is registry - modelled after<br>
.fr at the time) and have observed considerable improvement. Although<br>
we are a very small registry we do believe our methods would<br>
scale easily to larger registries.<br><br>
After delegation all domains are checked once a month and with<br>
the current setup we are checking about 1 domain per second<br>
(thus could scale to ~2M domains with the same setup.) If the domain<br>
no longer satisfies the .is requirements, it is tested weekly<br>
for eight weeks and progressively more of the domain's contacts<br>
informed of the problem (starting with the domain's zone contact<br>
which is assumed to be the operator of the domain's master nameserver).<br>
If the problem persists for over 8 weeks, the delegation is removed.<br>
<br>
We have found that over the years, more and more of our registrants<br>
(or their zone contacts) are grateful for the notification<br>
(as opposed to annoyed) and most have no problem fixing the faults<br>
with their authoritative NS setup or moving their DNS hosting services<br>
elsewhere.<br></blockquote><div><br></div><div>Some constructive feedback on this: some (larger) providers make regular updates to their zone files, and therefore the serial numbers are in constant flux. As changes are deployed, their different NS IPs will occasionally be seen advertising different serials. And while this is all works perfectly well, it's a bit disconcerting to receive occasional threats from ISNIC about removing their delegations. The false positive originates because ISNIC is detecting that the serials differ for a while (a week?), not that one is actually failing to receive updates. A simple improvement (that doesn't require recording all serial numbers) would be to remember what the two (different) serials were when the discrepancy was first detected, then only flagging it as a problem if they continue to differ a week later, *and* one of them is still stuck at the old value. If they differ, but have both changed, then it's likely working as intended, and you're just getting unlucky by probing them during a routine update.</div><div><br></div><div>Damian</div></div></div></div>