IETF Logo Mail Archive

Re: [DNSOP] New draft on delegation revalidation

Paul Vixie <paul@redbarn.org> Sat, 11 April 2020 19:40 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92CF73A1867 for <dnsop@ietfa.amsl.com>; Sat, 11 Apr 2020 12:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGpplkrv1VMT for <dnsop@ietfa.amsl.com>; Sat, 11 Apr 2020 12:39:58 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9810A3A1863 for <dnsop@ietf.org>; Sat, 11 Apr 2020 12:39:58 -0700 (PDT)
Received: from linux-9daj.localnet (vixp1.redbarn.org [24.104.150.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id EEB43B074A for <dnsop@ietf.org>; Sat, 11 Apr 2020 19:39:53 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: dnsop@ietf.org
Date: Sat, 11 Apr 2020 19:39:52 +0000
Message-ID: <5008890.TKijk6Fbu5@linux-9daj>
Organization: none
In-Reply-To: <CAHPuVdUjsC62TK-4WeaL-TWgBpz_qk7mQb=JqGQd5U_djXNA3Q@mail.gmail.com>
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAH1iCiqcdQCDs0gY=+zJdkfLx4+mbEAzSZp1hPJuyM5U0KTAiQ@mail.gmail.com> <CAHPuVdUjsC62TK-4WeaL-TWgBpz_qk7mQb=JqGQd5U_djXNA3Q@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sFID6Mhk_JQZm3T7BiUSvO1Jyf4>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Apr 2020 19:40:01 -0000

On Saturday, 11 April 2020 13:22:42 UTC Shumon Huque wrote:
> ...
> 
> This might also be viewed (correctly) as a corner case in the RRR model
> 
> > that doesn't get addressed; it seems to happen most frequently if a
> > registrant changes registrars or if a domain lapses, where the previous
> > registrar also acted as DNS operator for the zone.
> 
> I've heard proposals in the past that TLDs should routinely scan all their
> delegations to identify such problems, but I gather this is a challenging
> requirement to impose on them for various reasons.

i think it's a corner case in the registry / registrar / registrant (RRR) 
model, as you say. what might be done here is that ICANN or DNS-OARC or the 
registry of last resort (ROLR) or perhaps all three in cooperation, could 
jointly operate an anonymizing reporting service to accept real time reports 
of lame delegations from participating full resolvers.

in this case open source resolver makers such as nlnetlabs, cznic, isc, 
powerdns, and perhaps some commercial resolver makers like nominum and 
microsoft, and perhaps even some of the so-called "public dns" providers 
(quad-this, quad-that, etc) could report delegation problems they discover, in 
real time, to be then sliced and diced and trended and published and 
especially made available to registrants, registrars, and registries for 
policy-appropriate remedial action.

this is off-topic for the draft at hand, but it's something a strong mature 
distributed naming system ought to have in it. we finally have enough CPU and 
enough bandwidth and enough competing cooperators (and enough cooperating 
competitors) that it's practical to build something like this.

-- 
Paul

v2.23.0 | Report a Bug | By Email