Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

[Brian Dickson <brian.peter.dickson@gmail.com>]

On Thu, Jul 30, 2020 at 1:44 PM Joe Abley <jabley@hopcount.ca> wrote:

>
> There are some 20,000 examples in the ORG zone, of which at least 7,000
> are due to the domain suspension mechanism I gave as an example. There are
> lots of well-functioning domains that would fail if all of those A/AAAA
> records suddenly stopped resolving.
>
>
> That also seems quite imprecise. Here's a more specific worked example to
> make sure we understand each other.
>
> $ORIGIN ORG.
>
> BADDOMAIN NS ...
> BADDOMAIN NS ...
> NS1.BADDOMAIN A 192.0.2.1
>
> GOODDOMAIN NS NS1.BADDOMAIN.ORG.
> GOODDOMAIN NS ...
>
> If BADDOMAIN.ORG is suspended (or if the domain is suppressed for some
> equivalent reason) then the zone cut betwen ORG and BADDOMAIN.ORG will be
> removed (the BADDOMAIN.ORG NS set will disappear) but the A record above
> will remain, since it is linked to another domain, GOODDOMAIN.ORG, that
> depends upon it. Without a zone cut, that makes the ORG servers
> authoritative for the A record.
>
> I realize this is close to going down a rabbit/rat hole, so I'll try to
keep it as focused as possible.

Those two numbers (7000 and 20000) raise a question in my mind:
What's the typical range of domains impacted for each suspended domain?
I.e. given BADDOMAIN and GOODDOMAIN_1 through GOODDOMAIN_N, what would the
median value of N be, and the max or 95%ile value of N?
(I'm guessing it would be easier for you to get the answer than it would be
for me.)

The reason to ask is, what is the reasonableness of alternatives to the
current method depend? Those very much on the expected size of N.

If N is most typically about as many fingers as there are on one hand, that
suggests that changing the glue for the remaining domains, on a per-domain
basis, is not an unreasonable amount of work.
(I.e. replace all instances of "NS NS1.BADDOMAIN.ORG" with "NS
NS1.GOODDOMAIN_1.ORG", and replace NS1.BADDOMAIN A <value> with
NS1.GOODDOMAIN_1 <value> everywhere it occurs in the ORG zone.)

It's unclear whether this crosses the line of what registrars should do vs
what registries should do.
If the "suspend" action is not literally accompanied by the registrar doing
the removal of the NS records, then the (temporary) renaming of the object
by the registry on behalf of the registrar(s) involved, would seem to not
be unreasonable.

It keeps the GOODDOMAIN_N delegations functioning, and avoids promoting
glue to authoritative.

Of course, the OTHER question is, of those 20000 instances, in how many of
those cases is the registrant for BADDOMAIN and GOODDOMAIN_N the same
party? Is the expectation of the registrant that their error (lapse) or
action (abuse) on BADDOMAIN should not also have the same impact on the
related domains operated by the registrant a reasonable expectation?
(That's probably a lawyer question.)

I'm happy to stick to the technical aspect, on the renaming option: for
each suspended domain, what is the number of domains sharing a nameserver
below the delegation point, and thus how many actual renaming things and
address substitutions would be expected/required?

Brian