> On Oct 30, 2020, at 1:46 PM, Brian Dickson <[email protected]> > wrote: > > Hi, Victor, > Would you mind checking the list for domains with broken signed delegations > to anything matching *.domaincontrol.com <http://domaincontrol.com/> > (GoDaddy's nameservers), including categorization (e.g. lame NS, vs non-lame > NS with broken signature)? > My suspicion is there may be a bunch of lame delegations, and knowing which > TLDs (and if possible domains!) would be greatly appreciated. > Cleaning up lame delegations is neither easy nor fast, but we do want to > actually clean them up. >
HI Victor, Thanks for bringing this up. Can you send me the list for domains under ns.cloudflare.com <http://ns.cloudflare.com/> > (The root issue is there is currently no path for the delegatee to get the > lame delegation removed. None. Nada. :-( ) > CDS was supposed to address this but as you say it does not work when domain becomes lame or when operator is changed w/o removing/updating the old DS records. There are many reasons why a domain can go lame including other that the domain is kicked off a system for non-payment, policy violations, etc. > Thanks, > Brian > > On Thu, Oct 29, 2020 at 10:59 PM Viktor Dukhovni <[email protected] > <mailto:[email protected]>> wrote: > I have a list of ~69k domain names with extant DS RRsets, where the > DNSKEY RRset has been either unavailable or failing validation for 180 > days or more (92k domains if the bar is set to 90 days). These span 439 > TLDs! Of these domains, ~30k are simply lame and zone apex NS lookups > fail even with CD=1. The remaining ~39k likely have DNSSEC-specific > misconfiguration. > The question that needs to be asked is this 69K number unreasonable ? There are many reasons why a domain can go lame including other that the domain is kicked off a system for non-payment, policy violations, etc. As for the DNSSEC-specific misconfigurations there are probably two main reasons a) Signing not working b) Automated key rollover not reflected in DS A interesting question is how many of those “problems” are solved when the domain registration expires ? Or the converse question have any of those domains been renewed in the last 180 days ? which brings up another question does the TLD make a difference on renewal of lame domains ? Olafur > The top 25 TLDs by count of long-term dead signed delegations are: > > 24742 com > 9258 nl > 5357 se > 4553 cz > 2897 net > 2763 eu > 2044 pl > 1661 org > 1070 no > 1035 hu > 992 fr > 916 nu > 731 uk > 701 info > 594 be > 562 ch > 557 xyz > 552 de > 421 es > 349 sk > 346 dk > 321 app > 282 io > 250 biz > 240 pt > > If any of the TLDs have policies that allow the deadwood to be delisted > (still registered, but not delegated) I can provide the list of > domains... It would be nice to see less breakage in the live zones. > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] <mailto:[email protected]> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > <https://lists.dns-oarc.net/mailman/listinfo/dns-operations> > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
