IETF Logo Mail Archive

Re: [DNSOP] New draft on delegation revalidation

Mark Andrews <marka@isc.org> Tue, 14 April 2020 00:04 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA523A2164 for <dnsop@ietfa.amsl.com>; Mon, 13 Apr 2020 17:04:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMBLp1iU7EvF for <dnsop@ietfa.amsl.com>; Mon, 13 Apr 2020 17:04:22 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9D0D3A2163 for <dnsop@ietf.org>; Mon, 13 Apr 2020 17:04:22 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 22CE63AB00B; Tue, 14 Apr 2020 00:04:21 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 172C516005D; Tue, 14 Apr 2020 00:04:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 07B7A160083; Tue, 14 Apr 2020 00:04:21 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0vV5hK3Z1Zz7; Tue, 14 Apr 2020 00:04:20 +0000 (UTC)
Received: from [172.30.42.69] (unknown [49.2.228.79]) by zmx1.isc.org (Postfix) with ESMTPSA id 6BD2D16005D; Tue, 14 Apr 2020 00:04:20 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20200411175736.A4EBC1774BAF@ary.qy>
Date: Tue, 14 Apr 2020 10:04:17 +1000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB12A179-1ED4-49D3-A7C0-785FED697805@isc.org>
References: <20200411175736.A4EBC1774BAF@ary.qy>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AAO6x6aDtuFVSUhMwHXw_-WgIZE>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 00:04:24 -0000


> On 12 Apr 2020, at 03:57, John Levine <johnl@taugh.com> wrote:
> 
> In article <CAHPuVdX5ihg5_hiwyatuXXxvUG6Luh1nQeFGtfvsm-f--bxYGQ@mail.gmail.com> you write:
>> Sure. Brian was asking specifically asking about the TLD case, so my
>> answer was in that context. For that space, I think one of the issues is:
>> even if they were willing to verify all the delegations, it isn't clear what
>> they are permitted to do about it, beyond notification to the registrants
>> (or so I've heard).
> 
> Remember that in ICANN contracted TLDs and in some ccTLDs, a registry
> can only contact registrants by going through the registrars.  

So they sent the notices via the registrar.  There is nothing preventing
that.  Just a unwillingness to exercise the path.  Registrars that fail
to pass on notices would, I presume, be in breach of contract.

> While I
> can imagine some hack (EPP probably) for the registry to tell the
> registrar about inconsistent NS, I don't see the point.  The lousy
> registrars won't care, the good ones could check and notify themselves
> if they want to.

The parent zone operators are already required to perform the checks (see
STD 13).  Just because many have been too lazy to do so doesn’t excuse them
of the responsibility they took on when choosing to manage the zone.  Now
if they want to amend the contract they have with the registrars so that
they do they checks they are free to do so but they still have to ensure
the checks are done.

"As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone.  The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.”

I don’t see “unless you are a TLD operator” in there as a exemption.  The
“and remain so” implies the regular checks need to be made.  The instructions
clearly require “both sides” to check and take steps remedy inconsistencies.

The requirement to communicate through a registrar is not a “get out of gaol
free” card.

> I suppose you could make a general observation that DNS operators can
> check for inconsistent NS and when practical warn the child operator
> but that sounds like "don't forget to brush your teeth" sort of advice.


> R's,
> John
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email