Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Brian Dickson <> Thu, 30 July 2020 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 166E73A0CBB for <>; Thu, 30 Jul 2020 13:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0h-E3wg9rRTJ for <>; Thu, 30 Jul 2020 13:45:09 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D3DB3A0CB2 for <>; Thu, 30 Jul 2020 13:45:09 -0700 (PDT)
Received: by with SMTP id n2so1658876uan.2 for <>; Thu, 30 Jul 2020 13:45:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hmYN6DFcoHdcJkKGzDjocDwh53K9mxz6mXDtFcTCN7I=; b=Z5wG7FrYTfdtH1C/qnNztVsSXl2I/jdtWivLPWhzGY+vuLQm6rc7yRn+fQK8B65aBR XVR3C2UTbGvv8EyuvqdDUYdV+p8nI1nTDsCBBCB01VHEMrZlKv1DV8AqFtt/hpi7Kr4F 4Cv5ua3VXsIxQjrWU/wlSLCkcQQa7wBvgAiFD2BYSQHFzUxanO0BbF4Mtnxz/lE/s2nd zqnj1Pi4QLmpvcPoelBgHqe5WHRVjGUgZ6OrS8r4vuRWQunmEsM0YmR1gfxDFVqcMpdz D+S89tme+fUTJeKTnZq32wsmp3JI0f/AVH3l5LT+F29LSzm+2ZpdKunL+JBpUCt93Wwz boKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hmYN6DFcoHdcJkKGzDjocDwh53K9mxz6mXDtFcTCN7I=; b=DcZIDjCSTBpdUdyUG6peB4YOS6BZhy6yLWdghIEIpzA+z938kWf6UaGdVyHpDuYVUN lQknbaYBcyY50NpqAm6rKmD6xS2NzNilvDmbE+H8iYTgQPgc4Ge3Ww2VUWuqL1pT5Qjd 1RJ6nXgh1yzkWK1PFnt+EJJ+2ph80Y9/MmH5FmqaWoV7qsDZskCLucB1ieGaLQhNFdGb 7Z2tCYruZh1yqLW/K+hZuxq8xQcSNnlvtoaBOV3jmjukYjQfz1sa+cOMjX901g95DUYb MA8hPFWF5xPQvRAcDDs0i4Aq/CD0WAXyC3SPu9fZiRz5aQez9sQetGry9XqbGhV3nAs6 o1Nw==
X-Gm-Message-State: AOAM530mj+RciZjNUgg02RttU1pAXEIHQpFLakxEWelFJ+MEN+PRfDUz tntudF4qHlgyt5rA3NEm191YzfIERPnPbtyzUv8=
X-Google-Smtp-Source: ABdhPJxboqkRroD3wpeYtbGhP6Dk0qHso16BQyMJTlFUNF4ct5zZ/CAUlIzs9IsFEfno71ZDtJdCJhquB6gCg9LlIpY=
X-Received: by 2002:a9f:31f3:: with SMTP id w48mr423671uad.87.1596141908362; Thu, 30 Jul 2020 13:45:08 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Thu, 30 Jul 2020 13:44:57 -0700
Message-ID: <>
To: Joe Abley <>
Cc: Paul Wouters <>, dnsop <>
Content-Type: multipart/alternative; boundary="00000000000075913c05abaebf37"
Archived-At: <>
Subject: Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2020 20:45:12 -0000

On Thu, Jul 30, 2020 at 1:21 PM Joe Abley <> wrote:

> If BADDOMAIN.ORG is suspended (or if the domain is suppressed for some
> equivalent reason) then the zone cut betwen ORG and BADDOMAIN.ORG will be
> removed (the BADDOMAIN.ORG NS set will disappear) but the A record above
> will remain, since it is linked to another domain, GOODDOMAIN.ORG, that
> depends upon it. Without a zone cut, that makes the ORG servers
> authoritative for the A record.
> To a certain extent, this behaviour is a consequence of (a) the venerable
> operaetional need to suspend domains because they have been implicated in
> abuse and (b) the EPP data model used in the ORG registry, which itself has
> its origins in the RRP data model used before the re-delegation of ORG to
> PIR in 2002. As such, it's tempting to assert that the behaviour is a
> contractual requirement shared with all other gTLDs that are operated
> subject to the same contract that exists between PIR and ICANN, hence my
> question about applicability.
Yes, this does appear to be driven by EPP (the data model and the RFCs for
said), although it is not completely clear whether the policy choice of
keeping vs suspending the NS1.BADDOMAIN is a contractual requirement (it
probably is), since the EPP spec discourages but does not forbid
suspension/deletion of these NS glue records.

Clearly, removing those glue records would cause the other delegations to
fail, and possibly for other domains to become unresolvable.

So, this points to an area of overlap between policy and technology, where
alternative implementations of maintaining the ability to resolve the other
domains, might be possible by making other technology choices.
E.g. changing the name of the object N, to make it subordinate to some
other domain, while the suspension is operative, e.g. by using the other
domain (E) as the parent in place of the suspended domain (D).

Clearly, changing that would likely require policy changes for any
contracts that currently would not permit that change, as well as
modifications of the EPP spec.
The latter would not (I don't believe at least) be done in DNSOP.

However, is it appropriate to discuss the requirement or request to have
the EPP spec (and contracts) changed, as a topic for DNSOP?

Do we know how many contracts would be impacted? Are those all strictly
from the 2002 era?
Or does anyone know if more recent contracts include similar language, and
what rough order of magnitude of contracts would be impacted?
E.g. If the number of contracts is O(12), vs O(1000), the conversation is
likely to be very different.