Re: [dnsext] getting TLDs to fix other people's problems
Mark Andrews <marka@isc.org> Sat, 20 December 2014 20:43 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB781A6FF3 for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 12:43:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level:
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMVeUWYn9h8G for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 12:43:42 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A61BB1A1B80 for <dnsext@ietf.org>; Sat, 20 Dec 2014 12:43:42 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id 8ABA034930F; Sat, 20 Dec 2014 20:43:40 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 292CC160067; Sat, 20 Dec 2014 20:48:52 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id B3CDC160064; Sat, 20 Dec 2014 20:48:51 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4F47026313BC; Sun, 21 Dec 2014 07:43:37 +1100 (EST)
To: Jim Reid <jim@rfc1035.com>
From: Mark Andrews <marka@isc.org>
References: <20141220125805.GB20765@xs.powerdns.com> <20141220142506.C7EA12630502@rock.dv.isc.org> <A78F8417-AEA2-42BF-A7D5-96FE99DCBBBE@rfc1035.com>
In-reply-to: Your message of "Sat, 20 Dec 2014 16:21:25 -0000." <A78F8417-AEA2-42BF-A7D5-96FE99DCBBBE@rfc1035.com>
Date: Sun, 21 Dec 2014 07:43:37 +1100
Message-Id: <20141220204337.4F47026313BC@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/jOGUHVEeiRrqHmgPO4_Iq3fqu8Y
Cc: DNSEXT Group Working <dnsext@ietf.org>, bert hubert <bert.hubert@netherlabs.nl>
Subject: Re: [dnsext] getting TLDs to fix other people's problems
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 20:43:44 -0000
In message <A78F8417-AEA2-42BF-A7D5-96FE99DCBBBE@rfc1035.com>, Jim Reid writes: > On 20 Dec 2014, at 14:25, Mark Andrews <marka@isc.org> wrote: > > > What we really need is for TLD operators to audit all the delegated > > servers and inform their owners when they see a broken one. > > Mark, this is a ridiculous idea. It's utterly unworkable. just like it > would be to get TLDs to act as the lame delegation police. It simply > isn't going to happen. Even if this contact was viable, it will be rare > to find a registrant who understands this aa=0 issue and is willing to > fix the broken implementation: "the DNS for my domain is working just > fine for me, so why should I care about the troubles it causes someone > else or pay to fix their problem?". The problems listed in my draft are problems with the software. You tell them to contact the DNS vendor for a fix. The DNS vendor should understand and fix it themselves in the case of a hosted service or be able to advise them of which version of the software they need to run or generate a fix and advise them to run it. Most of the problem is that the operators don't know that there is a issue. You would assume that your DNS supplier actually produces protocol compliant software. Informing them that they have a problem is the first step to getting it fixed. > I wish you every success getting ICANN to adopt that policy for gTLDs and > then steering it through the policy-making machinery and/or legislation > for each of the 200-odd ccTLDs. Once that's done, good luck with > implementing and enforcing those policies. > > > They are the ones with the lists of authoritative servers and the > contact > > information. > > No they are not. Lots of registrants hide behind proxy/privacy services. > Some of them publish non-functioning contact data for the registrant, > Other registrants supply ficticious contact data, myself included. > Draining these festering swamps will take forever and no matter how hard > registries try, they will always be stuck with them. Don't take my word > for it. Ask the IPR and law enforcement types who have been screaming for > years at ICANN about bogus whois data. They still have the lists of registrants. If they choose to hide behind proxy/privacy services then the contact is through them. It is their job to sort out what is legitimate communication from spam. > Remember too that the two largest TLDs (which have ~50% of the world's > registered delegations) operate the thin registry model where the > registrars and not the registry hold registrant contact data. Verisign > couldn't even contact the holder of domain-with-aa=0-issues.com if they > wanted to. Then they go through the registrars. They and the registrars choose to operate in then model. They need to deal with it. It isn't like registries didn't know that this is part of their job. Contacting the parent to deal with problems in the child zone is listed as part of the problem resolution proceedures so that should have the mechanisms to do this. If they don't then they failed to do due diligence when they got into the registry business and they need to rectify their proceedures. The registrars should have also realised that they are part of the compliants process. RFC 1033, COMPLAINTS These are the suggested steps you should take if you are having problems that you believe are caused by someone else's name server: 1. Complain privately to the responsible person for the domain. You can find their mailing address in the SOA record for the domain. 2. Complain publicly to the responsible person for the domain. 3. Ask the NIC for the administrative person responsible for the domain. Complain. You can also find domain contacts on the NIC in the file NETINFO:DOMAIN-CONTACTS.TXT 4. Complain to the parent domain authorities. 5. Ask the parent authorities to excommunicate the domain. With systemic problem you often modifiy the proceedures to identify the problem sources enmass which is what I'm trying to arrange to happen here. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dnsext] Empty AA=0 AD=1 answers to AAAA queries:… bert hubert
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… Mark Andrews
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… bert hubert
- [dnsext] getting TLDs to fix other people's probl… Jim Reid
- Re: [dnsext] getting TLDs to fix other people's p… Mark Andrews
- Re: [dnsext] getting TLDs to fix other people's p… Lawrence Conroy
- Re: [dnsext] getting TLDs to fix other people's p… Patrik Fältström
- [dnsext] enough is enough bert hubert
- Re: [dnsext] getting TLDs to fix other people's p… Jim Reid
- Re: [dnsext] enough is enough Jim Reid
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… Alex Bligh
- Re: [dnsext] enough is enough bert hubert
- Re: [dnsext] getting TLDs to fix other people's p… Jay Daley
- Re: [dnsext] enough is enough Mark Andrews
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Mark Andrews
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Stephane Bortzmeyer