Re: [DNSOP] Asking TLD's to perform checks.

"Ralf Weber" <> Sun, 08 November 2015 09:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0B5171ACE62 for <>; Sun, 8 Nov 2015 01:12:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id k_xiFV6nRh2z for <>; Sun, 8 Nov 2015 01:12:49 -0800 (PST)
Received: from ( [IPv6:2a01:4f8:a0:322c::25:42]) by (Postfix) with ESMTP id 5EFDB1ACE64 for <>; Sun, 8 Nov 2015 01:12:49 -0800 (PST)
Received: by (Postfix, from userid 107) id 903F15F4051E; Sun, 8 Nov 2015 10:12:46 +0100 (CET)
Received: from [] ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 0C5125F404AE; Sun, 8 Nov 2015 10:12:46 +0100 (CET)
From: Ralf Weber <>
To: Antoin Verschuren <>
Date: Sun, 08 Nov 2015 10:12:44 +0100
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.3r5164)
Archived-At: <>
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 08 Nov 2015 09:12:51 -0000


On 7 Nov 2015, at 18:20, Antoin Verschuren wrote:
> But that’s not the point.
> The point is that we need consensus on criteria for what is good and 
> what is bad DNS(SEC).
Isn't that what the RFCs describe. Is there really a point where someone 

> I agree with you that there is no incentive for parked domains to get 
> DNS right.
> In fact, some registries like .nl allow registration without 
> delegation, which is perfectly fine for those domains. It keeps the 
> trash out the DNS.
> But we need consensus on what good and bad DNS operation is so 
> registrants have a choice.
> For a domain that I don’t use, or only sometimes, some are perfectly 
> happy with a dns-operator that charges $1,- a year but has a "DNS 
> goodness” score of only 10%.
> For a domain that is my principal business, I need a dns-operator (and 
> a registrar, and registry, and ICANN!) that has a score of at least 
> 99.999% compliance, even if it costs me $100,- a year.
I don't think that this is what Mark wants.

> The question is: What is is compliant, and how can we test that 
> against a set of known errors so we can give them a score that has the 
> consensus of us DNS experts.
My understanding was that Mark was testing protocol compliance and not 
operational aspects. I agree that there might be good and bad 
operations, but defining this is really hard as there are some many ways 
to operate DNS.

> And as Mark mentioned, many errors mean operational cost one way or 
> another, not only for the name servers of the zone itself, but also 
> for it’s parents and resolvers of ISP’s.
I know that. I worked at ISPs and now work at vendor that delivers 
software mainly for ISPs.

> Parent and child dns-operators can make their own choice in business 
> model in which they trade operational cost against profit and trust, 
> but we need an independent set of criteria for those TLD's and 
> dns-operators that want the reputation to be at the "good DNS” side 
> of that business model. And for that to be possible, we need ICANN and 
> so everyone below the root to be that good. We cannot let the weakest 
> link determine the maximum quality of the DNS.
Even if you have ICANN there are some that don't want to bend to the 
ICANN rules and this is an IETF draft.

> Perhaps a personal question to you: What score would you like the .de 
> domain (not zone!) to have? And why? What would you do if they only 
> scored 40% ?
You really have to ask Peter as he is "responsible" for that ;-). The 
.de zone I believe is pretty good as it always had pre delegation tests 
(sometimes with strange rules), but the problem for people on the 
resolving side isn't really if the domain is 40% or 99% good. As long as 
it is not 100% which IMHO it never will be we have to do something to 
make the 1% incorrect behaviour to work.

So long