Re: [DNSOP] Asking TLD's to perform checks.
Mark Andrews <marka@isc.org> Tue, 10 November 2015 20:43 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C6E1B3F79 for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 12:43:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlNAO-WhtqKP for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 12:43:41 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 444131B3F7B for <dnsop@ietf.org>; Tue, 10 Nov 2015 12:43:41 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 97A053493C9; Tue, 10 Nov 2015 20:43:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D5D0A16004E; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C2FA916007B; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PmrLRM3dBMjH; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 418E816004E; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C47C63C7D699; Wed, 11 Nov 2015 07:43:30 +1100 (EST)
To: Shane Kerr <shane@time-travellers.org>
From: Mark Andrews <marka@isc.org>
References: <20151105235402.39FFC3BF2F29@rock.dv.isc.org> <20151110152511.6f1a1c20@pallas.home.time-travellers.org>
In-reply-to: Your message of "Tue, 10 Nov 2015 15:25:11 +0100." <20151110152511.6f1a1c20@pallas.home.time-travellers.org>
Date: Wed, 11 Nov 2015 07:43:30 +1100
Message-Id: <20151110204330.C47C63C7D699@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Sj7aLpidH0kA7eEBqnGBWEV_BlM>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 20:43:43 -0000
Perhaps we should be getting Jari, Suzanne and Andrew to push this at IGF meetings. In message <20151110152511.6f1a1c20@pallas.home.time-travellers.org>, Shane Ker r writes: > Mark, > > On Fri, 06 Nov 2015 10:54:02 +1100 > Mark Andrews <marka@isc.org> wrote: > > > I keep getting told the IETF can't tell people what to do > > but that is *exactly* what we do do when we issue a BCP. > > We tell people what best current practice is and ask them > > to follow it. > > > > Today we have TLDs that do perform all sorts of checks on > > servers they delegate zones to and some do inform the > > operators of those zones that they have errors. Those > > checks cover in part tests described in > > draft-andrews-dns-no-response-issue. > > > > So do we adopt this or do we continue to lie to ourselves > > about what BCP actually do? > > My guess is that part of the resistance is because you are going to be > asking people to spend money on something that does not provide them or > their customers any (direct) benefits. Further, it breaks the > registry-registrar model in some cases, where registries are kept away > from registrants by a 1.6 km-high wall. Who are the customers of a registry? The registrants and those that lookup names in the registry. Yes, everyone else *is* a customer of the registry and by performing tests and informing the registrants you help both sets of customers. As for costs, a machine/vm running checks and sending out email every 3 months. That's effectively all <https://ednscomp.isc.org/compliance/summary.html> is though it doesn't send the email and it runs the checks daily, it does have to hooks to send out email built in but they are not activated. Once this becomes a regular thing many/most/all tlds do the human costs go down as it becomes something people can lookup answers for what to do when they get the email. You ask the registant to contact their DNS/Firewall vendor for the fix after explaining the issue. If they are hosting their own DNS they should know who that is. If they are using a DNS operator the message gets relayed to the operator or they can switch DNS operators to one which does the right thing. The DNS operator then needs to contact their vendors for a fix. As for the no direct contact this doesn't require direct contact. The registrars can perform the checks for the servers of all zones registered through them or they can relay the messages from the registry. > My prediction about the eventual outcome is that you would end up with a > document that works as well as BCP 38; meaning that it is nice to have > for people that want some recommendations about what to check (and > can't be bothered to look at other registries' online documentation, or > contact registries directly and ask what they do). So we don't say what's right because you fear that not everybody will perform the actions. We don't need to get every TLD to check to have a real impact. We just need several to check and inform, preferably big ones. Lots of zones are hosted by big players and getting them fixed has a big impact on the overhaul health of the DNS. e.g. UltraDNS and related companies fixing their service resulted in a 18% fix for the root and TLD servers, a 5% fix for the Alexa top 1000, a 2% fix for Gov servers in the Alexa top 1M and about the same for the AU servers in the Alexa top 1M. The bottom 1000 is too noisy to see if there was a change there. See the Sep 28 2015 steps in <https://ednscomp.isc.org/compliance/ts/allok.html>. > If your true goal is to get ICANN to act as the some sort of enforcer > for DNS operational purity, then please do so via ICANN channels rather > than the IETF. ;) This is actually IETF business. We can set community consensus of what is a resonable requirement. If nothing else ICANN will come back to us looking for checks to be enforced. Additionally the CCtlds are not bound by ICANN but by RFCs. > To be clear, I am not opposed to a document which lists various checks > a parent zone may want to do, and the costs & benefits of each, as long > as it doesn't end up with you screaming at the microphone because TLD > .XX doesn't implement the recommendations. :) > > Cheers, > > -- > Shane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] Asking TLD's to perform checks. Jim Reid
- Re: [DNSOP] Asking TLD's to perform checks. Paul Hoffman
- [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. marius
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Daniel Stirnimann
- Re: [DNSOP] Asking TLD's to perform checks. Shane Kerr
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] [ccnso-techwg] Re: Asking TLD's to pe… Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Paul Vixie
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Tony Finch
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Lawrence Conroy
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLDs to perform checks. Joe Abley
- Re: [DNSOP] Asking TLD's to perform checks. Frederico A C Neves
- Re: [DNSOP] Asking TLD's to perform checks. Tim Wicinski
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Jelte Jansen