[Dnssec-deployment] not ANY (Re: CAT is signed )
Mark Andrews
marka at isc.org
Fri Jul 2 00:16:31 EDT 2010
In message <C2A47373-91B1-4DCB-B594-71E79887B84F at virtualized.org>, David Conrad
writes:
> Mark,
>
> On Jul 1, 2010, at 7:58 PM, Mark Andrews wrote:
> > The nameservers don't support basic RFC 1034. =20
>
> As I came into this discussion a bit late, apologies for not having full
> context.
>
> Just so I understand what you're suggesting, because the Guam name
> server responds to a DNSKEY query with NOTIMP, you want to change
> existing policy and processes to give ICANN the power to unilaterally
> remove misbehaving name servers from the root zone?
>
> Regards,
> -drc
I'd like ICANN/IANA to work with all the TLD's to ensure that they
are running nameservers that can properly answer the questions put
to them. I would prefer that they be EDNS capable but at a minimum
they need to respond to EDNS queries do that iterative resolvers
don't have to timeout waiting for the responses. That the delegations
for the TLD's refer to namservers that are configured to answer for
the TLD's.
The failure rate at the TLD level is way too high for what should
be responsably managed servers.
Rather than excommunicate a TLD that IANA offer to take over the
serving role until the TLD operator can provide servers that can
do the job properly.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list