[Dnssec-deployment] dealing with broken TLD name servers

Tue Jun 29 20:52:12 EDT 2010

On 29 Jun 2010, at 23:47, Paul Hoffman wrote:

> At 9:45 PM +0000 6/29/10, Paul Vixie wrote:
>> what we're seeing here is a failure to communicate.
>> . . .
>> such servers are misconfigured. for a TLD server to be  
>> misconfigured in
>> this way is irresponsible on ICANN's part, who should've tested this
>> before adjusting the root zone to contain the respective NS RR. ICANN
>> should also periodically retest, and should have the contractual  
>> right
>> to warn privately, warn publically, and then remove after 24 hours  
>> any
>> such NS RR, without reference to the national sovereignty of the  
>> CCTLD.

IANA does check changes to TLD delegations. AFAIK it does not do  
periodic retesting.

IMO it would not be wise to (threaten to) NS records. And by  
implication yank TLDs. Besides, reasonable time is needed to get TLD  
operators to fix stuff. 24 hours is far, far too short - particularly  
for the TLDs that get by on a volunteer best efforts basis. [Of course  
whether TLDs should be operated in that way is another can of worms.  
That can be discussed elsewhere.] Much longer notice periods are also  
necessary when national law makes it difficult for one country to "do  
business" with another.

> You jumped from TLD to ccTLD ".cat" is not yet a CCTLD. ICANN has,  
> and should have, different relationships with the non-ccTLDs than  
> they do with the ccTLDs.

Indeed. ICANN has contracts with the gTLD registries. These include  
modest DNS performance criteria: availability and RTTs mainly. [google  
for CNNP test.] ICANN does not have contracts with ccTLD registries  
and isn't really in a position to impose things on them. That's not  
likely to change until after ICANN (IANA?) morphs into some UN entity.

> And, yes, this is on-topic for the list.

Maybe. It might first be more of a dnsop thing though: "What should be  
done when a signed (TLD) delegation goes bad?". For some definition of  
going bad. ie Once there's consensus on what is meant by bad and what  
to do about it, that would be the time for a discussion about the  
processes and roles needed to handle the problem.

> The other Paul is suggesting removing NS RRs of zones after they are  
> signed if those zones don't meet ICANN's operational rules.

Which rules are these?

> Such a move, or even ICANN's suggestion of such a move, would have a  
> very negative impact on DNSSEC deployment by causing TLDs to not  
> want to deploy.

IMO it would have far wider and much more serious ramifications than  
that. The national sovereignty implications are scary.