[Dnssec-deployment] dealing with broken TLD name servers
jim at rfc1035.com
Tue Jun 29 20:52:12 EDT 2010
On 29 Jun 2010, at 23:47, Paul Hoffman wrote:
> At 9:45 PM +0000 6/29/10, Paul Vixie wrote:
>> what we're seeing here is a failure to communicate.
>> . . .
>> such servers are misconfigured. for a TLD server to be
>> misconfigured in
>> this way is irresponsible on ICANN's part, who should've tested this
>> before adjusting the root zone to contain the respective NS RR. ICANN
>> should also periodically retest, and should have the contractual
>> to warn privately, warn publically, and then remove after 24 hours
>> such NS RR, without reference to the national sovereignty of the
IANA does check changes to TLD delegations. AFAIK it does not do
IMO it would not be wise to (threaten to) NS records. And by
implication yank TLDs. Besides, reasonable time is needed to get TLD
operators to fix stuff. 24 hours is far, far too short - particularly
for the TLDs that get by on a volunteer best efforts basis. [Of course
whether TLDs should be operated in that way is another can of worms.
That can be discussed elsewhere.] Much longer notice periods are also
necessary when national law makes it difficult for one country to "do
business" with another.
> You jumped from TLD to ccTLD ".cat" is not yet a CCTLD. ICANN has,
> and should have, different relationships with the non-ccTLDs than
> they do with the ccTLDs.
Indeed. ICANN has contracts with the gTLD registries. These include
modest DNS performance criteria: availability and RTTs mainly. [google
for CNNP test.] ICANN does not have contracts with ccTLD registries
and isn't really in a position to impose things on them. That's not
likely to change until after ICANN (IANA?) morphs into some UN entity.
> And, yes, this is on-topic for the list.
Maybe. It might first be more of a dnsop thing though: "What should be
done when a signed (TLD) delegation goes bad?". For some definition of
going bad. ie Once there's consensus on what is meant by bad and what
to do about it, that would be the time for a discussion about the
processes and roles needed to handle the problem.
> The other Paul is suggesting removing NS RRs of zones after they are
> signed if those zones don't meet ICANN's operational rules.
Which rules are these?
> Such a move, or even ICANN's suggestion of such a move, would have a
> very negative impact on DNSSEC deployment by causing TLDs to not
> want to deploy.
IMO it would have far wider and much more serious ramifications than
that. The national sovereignty implications are scary.
More information about the Dnssec-deployment