Re: [DNSOP] Delegation acceptance checks [was: Re: [Ext] WGLC rfc8499bis one week extension for lame delegation definition]

Mark Andrews <> Fri, 12 May 2023 02:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E39DC16953E for <>; Thu, 11 May 2023 19:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b="ju8DhuPk"; dkim=pass (1024-bit key) header.b="OBeI0LR3"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WEwrujA8NBDE for <>; Thu, 11 May 2023 19:04:12 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id B48A4C16951C for <>; Thu, 11 May 2023 19:04:12 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by (Postfix) with ESMTPS id 182F93AB01F; Fri, 12 May 2023 02:04:11 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 182F93AB01F
Authentication-Results:; arc=none smtp.remote-ip=
ARC-Seal: i=1; a=rsa-sha256;; s=ostpay; t=1683857051; cv=none; b=KrgzNHcPG2uQ0+Kzb7qYIrBaO2vcNcCICGpw+XFJvnyw2ReKyBprCOkBOIyGUO5/YDIgogFM6F6QEhzkFhw6ijxyhD/fr6ZZ0HX6Q0XsES1qVH+Q6GdKLdzr+3TbUf0YLvg/0qVDHbiqfX1qVv1zNKJfo24MxYlFM6cq1QMXXW8=
ARC-Message-Signature: i=1; a=rsa-sha256;; s=ostpay; t=1683857051; c=relaxed/relaxed; bh=Fun1lSqumUyka3oIsaqRAP9wIOCbnPk3F/I+xdz8BEo=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=Pdjcc7lQMpwcDXS7WJiB3zB63qONCqvzrErvZMWiKUoLJaCfIdj2zyEzjlpPLt4nZE0Ge2Yxa0IPYG+a2Q3/3rPP8w8qWHENYrcyx672OBRnsmV4HShG6RvjPXvG5JU2H8OXu8BWpX3n/NPLWMtRhD29dBPUvVT77hyLlsdvZq0=
ARC-Authentication-Results: i=1;
DKIM-Filter: OpenDKIM Filter v2.10.3 182F93AB01F
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ostpay; t=1683857051; bh=1leAd+SlJsAWRJBszRgQSpTwPnG5bkObWkwSTjhVQ0o=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=ju8DhuPkVU1MzikYbe7CBHQCELxDRAp4jxDDsHeFTdod+chyjlio6u6P2lQob51CH Nl9lgGph3Sqz6MvpY7oyJGK3tmmSfpyr0w5tZoCgMk0dnJkQAngCkxQRguTyN1yU05 qUNEaJCjGbd+jaeF0tU5Y450ZTwFmRWgsNC+JSOA=
Received: from (localhost.localdomain []) by (Postfix) with ESMTPS id 0D11DFEC6E7; Fri, 12 May 2023 02:04:11 +0000 (UTC)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id D7A4BFEC6E8; Fri, 12 May 2023 02:04:10 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 D7A4BFEC6E8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1683857050; bh=Fun1lSqumUyka3oIsaqRAP9wIOCbnPk3F/I+xdz8BEo=; h=Mime-Version:From:Date:Message-Id:To; b=OBeI0LR3l9EYeBQPX2ZISqsgU+EA/B+zKQOHZHaoOgZrHy+W2P4ls1IZsjXSN7LPu Tu5bK5jcy02g/2+1ZBqYDAsml5+XREoOYTmDT58CPleOSfHZVsIZkJ5Jg8BhDJcQr3 hVbTXQUjJHvu4JY6dTwUnFH1g5BizPTzkmVLUH9U=
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id oMDAh2CgyHJV; Fri, 12 May 2023 02:04:10 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPSA id 25390FEC6E7; Fri, 12 May 2023 02:04:09 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
From: Mark Andrews <>
In-Reply-To: <20230512013510.2ACD2D670AF9@ary.qy>
Date: Fri, 12 May 2023 12:04:09 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <20230512013510.2ACD2D670AF9@ary.qy>
To: John Levine <>
X-Mailer: Apple Mail (2.3731.500.231)
Archived-At: <>
Subject: Re: [DNSOP] Delegation acceptance checks [was: Re: [Ext] WGLC rfc8499bis one week extension for lame delegation definition]
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 May 2023 02:04:16 -0000

> On 12 May 2023, at 11:35, John Levine <> wrote:
> It appears that Mark Andrews  <> said:
>>> Oh, I completely agree.  My point was just that even in the root which is small and you
>>> would hope would change slowly, it's still a challenge to track what's lame.
>> It’s not a challenge to track what is lame.  It’s dead simple.  You just have to look.  Getting
>> it addressed is the challenge.
> Yeah, that's a better way to put it. But the main point still stands,
> that it would be a signficant operational change to insist that all
> delegated NS be active when delegated, and even moreso to insist that
> they continue to be active.

No, it is not a “significant” change.  It should just be a minor extension
of the existing requirement to keep the NS and glue records consistent.

Even if it was you just introduce it with a soft start.  Just start checking
the delegations of every TLD like zone then report the broken servers
publicly and email the contacts for the delegation.  The tools for checking
already exist.

RFC 4034, 4.2.2.

As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone. The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.

> Back in the 1990s when you registered names by email, NetSol checked
> that your NS were active before accepting them, but that was back when
> it was normal for the back and forth for registering a name to take a
> week.
> R's,
> John

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: