Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
John Levine <johnl@taugh.com> Thu, 30 July 2020 20:17 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFC403A0C66 for <dnsop@ietfa.amsl.com>; Thu, 30 Jul 2020 13:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1536-bit key) reason="fail (message has been altered)" header.d=iecc.com header.b=tcaLd1qV; dkim=fail (1536-bit key) reason="fail (message has been altered)" header.d=taugh.com header.b=OY/lbXvz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HjBOvJvhu5bK for <dnsop@ietfa.amsl.com>; Thu, 30 Jul 2020 13:17:11 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE4143A0C5D for <dnsop@ietf.org>; Thu, 30 Jul 2020 13:17:10 -0700 (PDT)
Received: (qmail 89015 invoked by uid 100); 30 Jul 2020 20:17:09 -0000
Date: Thu, 30 Jul 2020 20:17:08 -0000
Message-ID: <rfv9s4$2mta$1@gal.iecc.com>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:references:in-reply-to:cleverness; s=15bac.5f232ac5.k2007; i=news@user.iecc.com; bh=aCJG6P+NjCPdZsK034QGQY2ZSIUUY9ALysYQM8urYx4=; b=tcaLd1qV46qUw/x550OFOeSUJNFeaPa/j8LvN07/2N2pSooCeniRfsOjNe0it6px8G19unatRM5XHVtB68IVRKUd52YxUpgHWmy+wSE/xPtiZNYTppVqq47tfcF1CkIhvQyFhax0c5S1E0r5g7tIhtXkmmT76vnMp7qnmf/+jMu3VunWffJzBWefeNJwFLJBLquucxvzwDZBUWm3sxlQTfpVtYQnyRVXCMFMIDOdutmciyktvXFYmnL65YnR8bET
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:references:in-reply-to:cleverness; s=15bac.5f232ac5.k2007; olt=news@user.iecc.com; bh=aCJG6P+NjCPdZsK034QGQY2ZSIUUY9ALysYQM8urYx4=; b=OY/lbXvzZL9LG8GRK/SlMkowMJWAldPtyvZIh+MolEXoPOD9N63FgvwDq6BYiyD/YBPdJ4Sy/YhrFbi1SHTgZrcM7u9PnSI7T07TyftFCml3mw2p2cM7Lf+Wm9Wik6+eK3a006K35WY4hiCQWagp5SDfKryuhAgvXNVTdkHqSyO7qD3KvlGMFwTTiAbu02I8CSnrf5dqJazLvL8jC+ssbogAOJF9TcFAGV2FE2tVyCKlYu9kEXHnCQ7eKhF8fcek
Organization: Taughannock Networks
References: <CAHbrMsDWR0Yf_66f7g6sYm5Wk5vg9avGnLLT2sqezHzJzK4qJw@mail.gmail.com> <alpine.LRH.2.23.451.2007301253530.416340@bofh.nohats.ca> <F16107A1-669C-41AD-9F59-1794C64B0737@hopcount.ca> <alpine.LRH.2.23.451.2007301446380.418549@bofh.nohats.ca>
In-Reply-To: <CAHbrMsDWR0Yf_66f7g6sYm5Wk5vg9avGnLLT2sqezHzJzK4qJw@mail.gmail.com> <alpine.LRH.2.23.451.2007301253530.416340@bofh.nohats.ca> <F16107A1-669C-41AD-9F59-1794C64B0737@hopcount.ca> <alpine.LRH.2.23.451.2007301446380.418549@bofh.nohats.ca>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WS2SafPc4EDGAVp2Zdo23pGuVHs>
Subject: Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 20:17:13 -0000
In article <alpine.LRH.2.23.451.2007301446380.418549@bofh.nohats.ca>, Paul Wouters <paul@nohats.ca> wrote: >> Has anybody done a survey to find out how many TLD zones actually fits the description of "delegation-only"? I did some greppage, and found that all of the domains run by Verisign and Nominet have signed non-glue A records. I think there are a lot of TLDs run by others that are delegation only but they're mostly tiny vanity domains. >So you are saying that if ns1.example.org serves another-example.org >and example.org is suspended for abuse, that you will still service >A records for ns1.example.org and NS records for another-example.org >containing ns1.example.org but no NS records for example.org? In >the hopes that another-example.org keeps working? > >Wouldn't that already fail with DNS servers like unbound with: > > harden-glue: yes > harden-dnssec-stripped: yes > harden-below-nxdomain: yes > harden-referral-path: yes > >which is the default in Fedora / RHEL / CentOS and maybe others? If the domain is suspended the NS goes away and the A records are not glue so none of those apply. Some registrars insert faux NS like NS1.IN-EXPIRATION-GRACE-PERIOD.WTF but many don't since it has just the collateral damage you identified. I can tell you from experience as a tiny registrar reseller that Joe's scenario happens all the time, not suspended for abuse, but just expired and in the 30 day renewal grace period. E-mailed renewal notices get lost for various reasons, the domain with the name servers expires, and it take a few days to figure out why things aren't working and fix it. In fact the name servrs and the other domains are all fine as is the expired domain once someone clicks the renew button. While I think your general goal is reasonable, by the time we added enough special cases to match the way real TLDs operate, the camel would cry. -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] Questions on draft-ietf-dnsop-delegation-… Ben Schwartz
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Petr Špaček
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Ben Schwartz
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… John Levine
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Brian Dickson
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Patrick Mevzek
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Patrick Mevzek
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Ben Schwartz
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Tony Finch
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… John R Levine
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Brian Dickson
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… John Levine
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Hugo Salgado
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Patrick Mevzek
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… John Levine
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-delegation-only is s… John Levine
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Paul Wouters
- Re: [DNSOP] Questions on draft-ietf-dnsop-delegat… Ben Schwartz
- Re: [DNSOP] draft-ietf-dnsop-delegation-only is s… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-delegation-only is s… Paul Wouters
- Re: [DNSOP] draft-ietf-dnsop-delegation-only is s… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-delegation-only is s… John Levine
- Re: [DNSOP] draft-ietf-dnsop-delegation-only is s… Paul Wouters
- Re: [DNSOP] draft-ietf-dnsop-delegation-only is s… John R Levine