-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Foolish me. Indeed all that is required is a way to detect that the delegation is lame (hopefully in a secure fashion) and remove the lame delegations. Of course that does leave the problem of what to do if all of the delegations are lame, as Randy has alluded to. -Jeff Randy Bush wrote:
As an engineer, I believe we would need a protocol that would permit someone to query an IP address to ask what DNS domains it may be an NS for.
this addresses neither the issue of longevity nor that of whether it is authoritative for a particular domain which is proposed to be, or has been, delegated to it.
and please note that delegation is not to an ip address, but rather to an fqdn. the only time the two are bound is when a delegatee is within the zone being delegated, so the delegator needs to insert a glue a rr.
i run a very small registry for some cctlds. my scripts do specifically check that all servers to which a delegation is proposed are actually serving the zone, and will not delegate if they are not. i also check for 2182 compliance in a crude manner. i also check that the ns rrset held by the servers is that to which delegation is requested.
i would gladly re-run the delegation checks against the zone files periodically. but i do not as i don't know what to do when (not if) i find lamers. it seems a bit drastic to just remove delegation. but i know from experience that email to the pocs will get no useful response.
randy
- -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDyXXb8CBzV/QUlSsRAh97AJ41jM/8ys9Bf3YT/nb7KpnwDuDyygCfXNqc xxfbv+A2ccN9mjLzzLo1N/o= =iKOl -----END PGP SIGNATURE-----