Re: [DNSOP] Asking TLD's to perform checks.

Antoin Verschuren <> Sat, 07 November 2015 17:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EE1711B3583 for <>; Sat, 7 Nov 2015 09:20:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.083
X-Spam-Status: No, score=0.083 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hXdpOjgA_3Cz for <>; Sat, 7 Nov 2015 09:20:10 -0800 (PST)
Received: from ( [IPv6:2a01:670:6aa4:da00::6]) by (Postfix) with ESMTP id 9F6C31B3586 for <>; Sat, 7 Nov 2015 09:20:09 -0800 (PST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 51008280302; Sat, 7 Nov 2015 18:20:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=walhalla; t=1446916808; bh=ifni3pXKqcBlUcNC707z0MJjIbG8axahu3d8ja2kcTg=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=gwX1h+8re0DQdvCfMc7MJRpPnZuQvXeg3vB2zBW9NRf+1ozqqSErCVGHSSM5N4aKX h20NMRYyPMeUhfie7k3npIdujt0SzHt6CloPLbYSYVXIBZCEc9YK8fddH3b7zpmx+V DofmW/W3RVM7E0v72/ucQ8tf5P24F2ntNNzShBqY=
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_3D848DDC-0863-4948-B5BB-04950F2FC62F"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5.2
From: Antoin Verschuren <>
In-Reply-To: <>
Date: Sat, 07 Nov 2015 18:20:01 +0100
Message-Id: <>
References: <> <> <> <>
To: Ralf Weber <>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <>
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Nov 2015 17:20:12 -0000

Op 7 nov. 2015, om 16:17 heeft Ralf Weber <> het volgende geschreven:

> Cool. Thanks for the link, and thanks to SIDN for doing this. Seems to be effective, though the number doesn't seem to go to 0. If I understand it correctly (or google translated it correct) there is no sanction for the registrar only information that something is not working.

The numbers don’t go down to 0 because there are also deliberately bad DNSSEC domains for testing and research purposes.
The registrars that do DNSSEC have another incentive to get this right.
If resolver operators of ISP’s don’t validate because of too many errors, the effort of registrars supporting DNSSEC in the first place will be in vain.
A sanction for regular DNS errors is that domains that repeatedly fail the technical checks can be deleted (by the registrar or registry) without the registrant’s consent according to the legal rules.
This was used quite often by registrars whose customers didn’t pay their bill on time. (simply stop serving DNS and that would give right to delete the registration).

But that’s not the point.
The point is that we need consensus on criteria for what is good and what is bad DNS(SEC).

I agree with you that there is no incentive for parked domains to get DNS right.
In fact, some registries like .nl allow registration without delegation, which is perfectly fine for those domains. It keeps the trash out the DNS.

But we need consensus on what good and bad DNS operation is so registrants have a choice.
For a domain that I don’t use, or only sometimes, some are perfectly happy with a dns-operator that charges $1,- a year but has a "DNS goodness” score of only 10%.
For a domain that is my principal business, I need a dns-operator (and a registrar, and registry, and ICANN!) that has a score of at least 99.999% compliance, even if it costs me $100,- a year.

The question is: What is is compliant, and how can we test that against a set of known errors so we can give them a score that has the consensus of us DNS experts.

And as Mark mentioned, many errors mean operational cost one way or another, not only for the name servers of the zone itself, but also for it’s parents and resolvers of ISP’s.

Parent and child dns-operators can make their own choice in business model in which they trade operational cost against profit and trust, but we need an independent set of criteria for those TLD's and dns-operators that want the reputation to be at the "good DNS” side of that business model. And for that to be possible, we need ICANN and so everyone below the root to be that good. We cannot let the weakest link determine the maximum quality of the DNS.

Perhaps a personal question to you: What score would you like the .de domain (not zone!) to have? And why? What would you do if they only scored 40% ?

- --
Antoin Verschuren

Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392