IETF Logo Mail Archive

Re: [dnsext] getting TLDs to fix other people's problems

Mark Andrews <marka@isc.org> Sat, 20 December 2014 20:43 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB781A6FF3 for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 12:43:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level:
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMVeUWYn9h8G for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 12:43:42 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A61BB1A1B80 for <dnsext@ietf.org>; Sat, 20 Dec 2014 12:43:42 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id 8ABA034930F; Sat, 20 Dec 2014 20:43:40 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 292CC160067; Sat, 20 Dec 2014 20:48:52 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id B3CDC160064; Sat, 20 Dec 2014 20:48:51 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4F47026313BC; Sun, 21 Dec 2014 07:43:37 +1100 (EST)
To: Jim Reid <jim@rfc1035.com>
From: Mark Andrews <marka@isc.org>
References: <20141220125805.GB20765@xs.powerdns.com> <20141220142506.C7EA12630502@rock.dv.isc.org> <A78F8417-AEA2-42BF-A7D5-96FE99DCBBBE@rfc1035.com>
In-reply-to: Your message of "Sat, 20 Dec 2014 16:21:25 -0000." <A78F8417-AEA2-42BF-A7D5-96FE99DCBBBE@rfc1035.com>
Date: Sun, 21 Dec 2014 07:43:37 +1100
Message-Id: <20141220204337.4F47026313BC@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/jOGUHVEeiRrqHmgPO4_Iq3fqu8Y
Cc: DNSEXT Group Working <dnsext@ietf.org>, bert hubert <bert.hubert@netherlabs.nl>
Subject: Re: [dnsext] getting TLDs to fix other people's problems
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 20:43:44 -0000

In message <A78F8417-AEA2-42BF-A7D5-96FE99DCBBBE@rfc1035.com>, Jim Reid writes:
> On 20 Dec 2014, at 14:25, Mark Andrews <marka@isc.org> wrote:
>
> > What we really need is for TLD operators to audit all the delegated
> > servers and inform their owners when they see a broken one.
>
> Mark, this is a ridiculous idea. It's utterly unworkable.  just like it
> would be to get TLDs to act as the lame delegation police. It simply
> isn't going to happen. Even if this contact was viable, it will be rare
> to find a registrant who understands this aa=0 issue and is willing to
> fix the broken implementation: "the DNS for my domain is working just
> fine for me, so why should I care about the troubles it causes someone
> else or pay to fix their problem?".

The problems listed in my draft are problems with the software.
You tell them to contact the DNS vendor for a fix.  The DNS vendor
should understand and fix it themselves in the case of a hosted
service or be able to advise them of which version of the software
they need to run or generate a fix and advise them to run it.

Most of the problem is that the operators don't know that there is
a issue.  You would assume that your DNS supplier actually produces
protocol compliant software.  Informing them that they have a problem
is the first step to getting it fixed.

> I wish you every success getting ICANN to adopt that policy for gTLDs and
> then steering it through the policy-making machinery and/or legislation
> for each of the 200-odd ccTLDs. Once that's done, good luck with
> implementing and enforcing those policies.
>
> > They are the ones with the lists of authoritative servers and the
> contact
> > information.
>
> No they are not. Lots of registrants hide behind proxy/privacy services.
> Some of them publish non-functioning contact data for the registrant,
> Other registrants supply ficticious contact data, myself included.
> Draining these festering swamps will take forever and no matter how hard
> registries try, they will always be stuck with them. Don't take my word
> for it. Ask the IPR and law enforcement types who have been screaming for
> years at ICANN about bogus whois data.

They still have the lists of registrants.  If they choose to hide behind
proxy/privacy services then the contact is through them.  It is their
job to sort out what is legitimate communication from spam.

> Remember too that the two largest TLDs (which have ~50% of the world's
> registered delegations) operate the thin registry model where the
> registrars and not the registry hold registrant contact data. Verisign
> couldn't even contact the holder of domain-with-aa=0-issues.com if they
> wanted to.

Then they go through the registrars.  They and the registrars choose
to operate in then model.  They need to deal with it.  It isn't
like registries didn't know that this is part of their job.  Contacting
the parent to deal with problems in the child zone is listed as
part of the problem resolution proceedures so that should have the
mechanisms to do this.  If they don't then they failed to do due
diligence when they got into the registry business and they need
to rectify their proceedures.  The registrars should have also
realised that they are part of the compliants process.

RFC 1033, COMPLAINTS

   These are the suggested steps you should take if you are having
   problems that you believe are caused by someone else's name server:

   1.  Complain privately to the responsible person for the domain.  You
   can find their mailing address in the SOA record for the domain.

   2.  Complain publicly to the responsible person for the domain.

   3.  Ask the NIC for the administrative person responsible for the
   domain.  Complain.  You can also find domain contacts on the NIC in
   the file NETINFO:DOMAIN-CONTACTS.TXT

   4.  Complain to the parent domain authorities.

   5.  Ask the parent authorities to excommunicate the domain.

With systemic problem you often modifiy the proceedures to identify the
problem sources enmass which is what I'm trying to arrange to happen here.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email