Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

John Levine <> Thu, 30 July 2020 20:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DFC403A0C66 for <>; Thu, 30 Jul 2020 13:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1536-bit key) reason="fail (message has been altered)" header.b=tcaLd1qV; dkim=fail (1536-bit key) reason="fail (message has been altered)" header.b=OY/lbXvz
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HjBOvJvhu5bK for <>; Thu, 30 Jul 2020 13:17:11 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EE4143A0C5D for <>; Thu, 30 Jul 2020 13:17:10 -0700 (PDT)
Received: (qmail 89015 invoked by uid 100); 30 Jul 2020 20:17:09 -0000
Date: Thu, 30 Jul 2020 20:17:08 -0000
Message-ID: <rfv9s4$2mta$>
From: John Levine <>
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:subject:references:in-reply-to:cleverness; s=15bac.5f232ac5.k2007;; bh=aCJG6P+NjCPdZsK034QGQY2ZSIUUY9ALysYQM8urYx4=; b=tcaLd1qV46qUw/x550OFOeSUJNFeaPa/j8LvN07/2N2pSooCeniRfsOjNe0it6px8G19unatRM5XHVtB68IVRKUd52YxUpgHWmy+wSE/xPtiZNYTppVqq47tfcF1CkIhvQyFhax0c5S1E0r5g7tIhtXkmmT76vnMp7qnmf/+jMu3VunWffJzBWefeNJwFLJBLquucxvzwDZBUWm3sxlQTfpVtYQnyRVXCMFMIDOdutmciyktvXFYmnL65YnR8bET
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:subject:references:in-reply-to:cleverness; s=15bac.5f232ac5.k2007;; bh=aCJG6P+NjCPdZsK034QGQY2ZSIUUY9ALysYQM8urYx4=; b=OY/lbXvzZL9LG8GRK/SlMkowMJWAldPtyvZIh+MolEXoPOD9N63FgvwDq6BYiyD/YBPdJ4Sy/YhrFbi1SHTgZrcM7u9PnSI7T07TyftFCml3mw2p2cM7Lf+Wm9Wik6+eK3a006K35WY4hiCQWagp5SDfKryuhAgvXNVTdkHqSyO7qD3KvlGMFwTTiAbu02I8CSnrf5dqJazLvL8jC+ssbogAOJF9TcFAGV2FE2tVyCKlYu9kEXHnCQ7eKhF8fcek
Organization: Taughannock Networks
References: <> <> <> <>
In-Reply-To: <> <> <> <>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: (John Levine)
Archived-At: <>
Subject: Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2020 20:17:13 -0000

In article <>,
Paul Wouters  <> wrote:
>> Has anybody done a survey to find out how many TLD zones actually fits the description of "delegation-only"?

I did some greppage, and found that all of the domains run by Verisign
and Nominet have signed non-glue A records. I think there are a lot of
TLDs run by others that are delegation only but they're mostly tiny
vanity domains.

>So you are saying that if serves
>and is suspended for abuse, that you will still service
>A records for and NS records for
>containing but no NS records for In
>the hopes that keeps working?
>Wouldn't that already fail with DNS servers like unbound with:
> 	harden-glue: yes
> 	harden-dnssec-stripped: yes
> 	harden-below-nxdomain: yes
> 	harden-referral-path: yes
>which is the default in Fedora / RHEL / CentOS and maybe others?

If the domain is suspended the NS goes away and the A records are not
glue so none of those apply. Some registrars insert faux NS like
NS1.IN-EXPIRATION-GRACE-PERIOD.WTF but many don't since it has just
the collateral damage you identified.

I can tell you from experience as a tiny registrar reseller that Joe's
scenario happens all the time, not suspended for abuse, but just
expired and in the 30 day renewal grace period. E-mailed renewal
notices get lost for various reasons, the domain with the name servers
expires, and it take a few days to figure out why things aren't
working and fix it. In fact the name servrs and the other domains are
all fine as is the expired domain once someone clicks the renew

While I think your general goal is reasonable, by the time we added
enough special cases to match the way real TLDs operate, the camel
would cry.

John Levine,, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail.