[Dnssec-deployment] Laissez-faire DNS parenting, was Re: not ANY (Re: CAT is signed )

Shane Kerr shane at isc.org
Mon Jul 5 06:20:16 EDT 2010 

All,

Straying a bit far from DNSSEC, but...

On Fri, 2010-07-02 at 14:16 +1000, Mark Andrews wrote:
> In message <C2A47373-91B1-4DCB-B594-71E79887B84F at virtualized.org>, David Conrad
>  writes:
> > 
> > On Jul 1, 2010, at 7:58 PM, Mark Andrews wrote:
> > > The nameservers don't support basic RFC 1034. =20
> > 
> > Just so I understand what you're suggesting, because the Guam name
> > server responds to a DNSKEY query with NOTIMP, you want to change
> > existing policy and processes to give ICANN the power to unilaterally
> > remove misbehaving name servers from the root zone?
>
> I'd like ICANN/IANA to work with all the TLD's to ensure that they
> are running nameservers that can properly answer the questions put
> to them.  

<snip/>

> The failure rate at the TLD level is way too high for what should
> be responsably managed servers.
> 
> Rather than excommunicate a TLD that IANA offer to take over the
> serving role until the TLD operator can provide servers that can
> do the job properly.

I think one of the reasons DNS works so well is because it properly
aligns costs and benefits. That is, the people who benefit from having
their domain published properly are the ones who have the power to do
so. (Contrast with e-mail, where mis-aligned cost/benefit yields spam.)

Periodically people who work with DNS forget this, and start to think
that the DNS itself is important. They naturally want to expend a lot of
time and effort seeking out problems with the DNS, and come up with
various ways to enforce compliance with whatever definition of "okay"
they come up with.

These people are wrong. DNS is *only* important insofar as it helps
people do what they actually care about. And the measure of this is if
the people running the services depending on DNS are happy with it.
Because of this, I tend to think that most efforts by parents to dictate
quality-of-service to their child domains are misguided.

In fact, before any such recommendation is seriously considered on a
large scale, I suggest that some basic research be taken to see what the
potential benefits will be. Take as an example a study I did a while ago
on the RIPE NCC servers about lameness:

http://labs.ripe.net/content/lameness-analysis-measurement-and-estimation

An exception to the "let it be" approach is when child misconfiguration
is causing operational problems to the parent, due to traffic or
end-user support costs. Since I have been assured that 90%+ of traffic
to the root servers is garbage, I don't think that is likely to be a
justification in this case.

While I don't think enforcing quality-of-service is reasonable, I do
think providing information to child domain administrators is often
useful. This utility is limited, because the people who check such
things are usually the ones who run their servers properly anyway, but
it can't hurt. It sounds like ICANN is already going to do that, so I
think we're done here. :)

--
Shane

More information about the Dnssec-deployment mailing list