IETF Logo Mail Archive

Re: [DNSOP] Asking TLD's to perform checks.

Mark Andrews <marka@isc.org> Tue, 10 November 2015 20:43 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C6E1B3F79 for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 12:43:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlNAO-WhtqKP for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 12:43:41 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 444131B3F7B for <dnsop@ietf.org>; Tue, 10 Nov 2015 12:43:41 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 97A053493C9; Tue, 10 Nov 2015 20:43:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D5D0A16004E; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C2FA916007B; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PmrLRM3dBMjH; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 418E816004E; Tue, 10 Nov 2015 20:43:57 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C47C63C7D699; Wed, 11 Nov 2015 07:43:30 +1100 (EST)
To: Shane Kerr <shane@time-travellers.org>
From: Mark Andrews <marka@isc.org>
References: <20151105235402.39FFC3BF2F29@rock.dv.isc.org> <20151110152511.6f1a1c20@pallas.home.time-travellers.org>
In-reply-to: Your message of "Tue, 10 Nov 2015 15:25:11 +0100." <20151110152511.6f1a1c20@pallas.home.time-travellers.org>
Date: Wed, 11 Nov 2015 07:43:30 +1100
Message-Id: <20151110204330.C47C63C7D699@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Sj7aLpidH0kA7eEBqnGBWEV_BlM>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 20:43:43 -0000

Perhaps we should be getting Jari, Suzanne and Andrew to push this
at IGF meetings.

In message <20151110152511.6f1a1c20@pallas.home.time-travellers.org>, Shane Ker
r writes:
> Mark,
> 
> On Fri, 06 Nov 2015 10:54:02 +1100
> Mark Andrews <marka@isc.org> wrote:
> 
> > 	I keep getting told the IETF can't tell people what to do
> > 	but that is *exactly* what we do do when we issue a BCP.
> > 	We tell people what best current practice is and ask them
> > 	to follow it.
> > 
> > 	Today we have TLDs that do perform all sorts of checks on
> > 	servers they delegate zones to and some do inform the
> > 	operators of those zones that they have errors.  Those
> > 	checks cover in part tests described in
> > 	draft-andrews-dns-no-response-issue.
> > 
> > 	So do we adopt this or do we continue to lie to ourselves
> > 	about what BCP actually do?
> 
> My guess is that part of the resistance is because you are going to be
> asking people to spend money on something that does not provide them or
> their customers any (direct) benefits. Further, it breaks the
> registry-registrar model in some cases, where registries are kept away
> from registrants by a 1.6 km-high wall.

Who are the customers of a registry?  The registrants and those
that lookup names in the registry.  Yes, everyone else *is* a
customer of the registry and by performing tests and informing the
registrants you help both sets of customers.

As for costs, a machine/vm running checks and sending out email
every 3 months.  That's effectively all
<https://ednscomp.isc.org/compliance/summary.html> is though it doesn't
send the email and it runs the checks daily, it does have to hooks
to send out email built in but they are not activated.  Once this
becomes a regular thing many/most/all tlds do the human costs go
down as it becomes something people can lookup answers for what to
do when they get the email.

You ask the registant to contact their DNS/Firewall vendor for the
fix after explaining the issue.  If they are hosting their own DNS
they should know who that is.  If they are using a DNS operator the
message gets relayed to the operator or they can switch DNS operators
to one which does the right thing.  The DNS operator then needs to
contact their vendors for a fix.

As for the no direct contact this doesn't require direct contact.
The registrars can perform the checks for the servers of all zones
registered through them or they can relay the messages from the
registry.

> My prediction about the eventual outcome is that you would end up with a
> document that works as well as BCP 38; meaning that it is nice to have
> for people that want some recommendations about what to check (and
> can't be bothered to look at other registries' online documentation, or
> contact registries directly and ask what they do).

So we don't say what's right because you fear that not everybody
will perform the actions.  We don't need to get every TLD to check
to have a real impact.  We just need several to check and inform,
preferably big ones.  Lots of zones are hosted by big players and
getting them fixed has a big impact on the overhaul health of the
DNS.  e.g. UltraDNS and related companies fixing their service
resulted in a 18% fix for the root and TLD servers, a 5% fix for
the Alexa top 1000, a 2% fix for Gov servers in the Alexa top 1M
and about the same for the AU servers in the Alexa top 1M.  The
bottom 1000 is too noisy to see if there was a change there.  See
the Sep 28 2015 steps in <https://ednscomp.isc.org/compliance/ts/allok.html>.

> If your true goal is to get ICANN to act as the some sort of enforcer
> for DNS operational purity, then please do so via ICANN channels rather
> than the IETF. ;)

This is actually IETF business.  We can set community consensus of
what is a resonable requirement.  If nothing else ICANN will come
back to us looking for checks to be enforced.  Additionally the
CCtlds are not bound by ICANN but by RFCs.

> To be clear, I am not opposed to a document which lists various checks
> a parent zone may want to do, and the costs & benefits of each, as long
> as it doesn't end up with you screaming at the microphone because TLD
> .XX doesn't implement the recommendations. :)
> 
> Cheers,
> 
> --
> Shane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email