Re: [DNSOP] Asking TLD's to perform checks.

[Paul Vixie <vixie@tisf.net>]

On Wednesday, November 11, 2015 07:43:30 AM Mark Andrews wrote:
> Perhaps we should be getting Jari, Suzanne and Andrew to push this
> at IGF meetings.

that's a right-thinking goal but with incorrect implementation semantics.

for IGF to care about this, you'd have to show the cost to end users and small domain 
holders, and i don't think it's compelling on that basis.

the best thing to do is write up a BCP-intended draft on what registrants, registrars, and 
registries should each do to check/maintain their registration information (NS, DS, and 
related AAAA or A), covering both motivation and method, with pointers to current open-
source tools, and references describing who has tried this in the past (or currently) and 
how it worked out for them.

then, ask jim galvin of ICANN SSAC, and andrei robachevsky of ISOC, to consider this as a 
possible topic to cover in next year's SSAC/ISOC panel at IGF. in other words there's not 
time to get this onto this year's schedule, but a well written and non-controversial IETF 
draft (or maybe RFC/BCP by then) would form an excellent basis for a highly relevant 
panel on internet stability.

fwiw, the best registry level checking i ever saw was at .BR by frederico neves and his 
team. you'll want him as a co-author of this draft, IMHO.

vixie

re:

> 
> In message <20151110152511.6f1a1c20@pallas.home.time-travellers.org>, Shane
> Ker
> r writes:
> > Mark,
> > 
> > On Fri, 06 Nov 2015 10:54:02 +1100
> > 
> > Mark Andrews <marka@isc.org> wrote:
> > > 	I keep getting told the IETF can't tell people what to do
> > > 	but that is *exactly* what we do do when we issue a BCP.
> > > 	We tell people what best current practice is and ask them
> > > 	to follow it.
> > > 	
> > > 	Today we have TLDs that do perform all sorts of checks on
> > > 	servers they delegate zones to and some do inform the
> > > 	operators of those zones that they have errors.  Those
> > > 	checks cover in part tests described in
> > > 	draft-andrews-dns-no-response-issue.
> > > 	
> > > 	So do we adopt this or do we continue to lie to ourselves
> > > 	about what BCP actually do?
> > 
> > My guess is that part of the resistance is because you are going to be
> > asking people to spend money on something that does not provide them or
> > their customers any (direct) benefits. Further, it breaks the
> > registry-registrar model in some cases, where registries are kept away
> > from registrants by a 1.6 km-high wall.
> 
> Who are the customers of a registry?  The registrants and those
> that lookup names in the registry.  Yes, everyone else *is* a
> customer of the registry and by performing tests and informing the
> registrants you help both sets of customers.
> 
> As for costs, a machine/vm running checks and sending out email
> every 3 months.  That's effectively all
> <https://ednscomp.isc.org/compliance/summary.html> is though it doesn't
> send the email and it runs the checks daily, it does have to hooks
> to send out email built in but they are not activated.  Once this
> becomes a regular thing many/most/all tlds do the human costs go
> down as it becomes something people can lookup answers for what to
> do when they get the email.
> 
> You ask the registant to contact their DNS/Firewall vendor for the
> fix after explaining the issue.  If they are hosting their own DNS
> they should know who that is.  If they are using a DNS operator the
> message gets relayed to the operator or they can switch DNS operators
> to one which does the right thing.  The DNS operator then needs to
> contact their vendors for a fix.
> 
> As for the no direct contact this doesn't require direct contact.
> The registrars can perform the checks for the servers of all zones
> registered through them or they can relay the messages from the
> registry.
> 
> > My prediction about the eventual outcome is that you would end up with a