Home page logo
/

nanog logo nanog mailing list archives

Re: AW: Odd policy question.
From: "Jeffrey I. Schiller" <jis () MIT EDU>
Date: Sat, 14 Jan 2006 17:06:20 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Foolish me. Indeed all that is required is a way to detect that the
delegation is lame (hopefully in a secure fashion) and remove the lame
delegations. Of course that does leave the problem of what to do if all
of the delegations are lame, as Randy has alluded to.

                        -Jeff

Randy Bush wrote:
As an engineer, I believe we would need a protocol that would
permit someone to query an IP address to ask what DNS domains
it may be an NS for.


this addresses neither the issue of longevity nor that of
whether it is authoritative for a particular domain which
is proposed to be, or has been, delegated to it.

and please note that delegation is not to an ip address, but
rather to an fqdn.  the only time the two are bound is when a
delegatee is within the zone being delegated, so the delegator
needs to insert a glue a rr.

i run a very small registry for some cctlds.  my scripts do
specifically check that all servers to which a delegation is
proposed are actually serving the zone, and will not delegate
if they are not.  i also check for 2182 compliance in a crude
manner.  i also check that the ns rrset held by the servers is
that to which delegation is requested.

i would gladly re-run the delegation checks against the zone
files periodically.  but i do not as i don't know what to do
when (not if) i find lamers.  it seems a bit drastic to just
remove delegation.  but i know from experience that email to
the pocs will get no useful response.

randy



- --
=============================================================================
Jeffrey I. Schiller
MIT Network Manager
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis () mit edu
============================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDyXXb8CBzV/QUlSsRAh97AJ41jM/8ys9Bf3YT/nb7KpnwDuDyygCfXNqc
xxfbv+A2ccN9mjLzzLo1N/o=
=iKOl
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault