Re: [DNSOP] Delegation acceptance checks

Mon, 08 May 2023 03:32:02 -0700 

Hi HÃ¥vard,

On 5/7/23 01:10, Havard Eidnes wrote:

I guess it depends on what service the registry is actually
offering.

One way to look at it is that it's offering a service to extend the
public DNS name space to registrants.  In that scenario it makes
perfect sense to do a one-time check on initial registration or
update, with the intention of preventing the domain owner from
shooting himself in the foot.


How do you know it's a shot in the foot?

It's possible a registrant doesn't want to provide DNS service and just reserve the name. Or, as 
Joe said, it could be a name served only in some "internal" context. If not used 
publicly, that doesn't seem "unhealthy".

For *registration* checks, there was no DNS service so far, so nothing breaks 
if none is configured.

(The situation may be different if a delegation update breaks the delegation, 
which might warrant a warning.)


On the technical side, I don't think anyone has suggested to
introduce repeated checks with de-registration either of a single NS
or an entire domain on auto-polit.  Does any public registry
actually do that sort of thing?  I've never heard of it.  I call
that a straw man.


If you have a .is domain and you don't follow the requirements in [1] 
(including conditions on NS reachability and consistency, child-size NS RRset 
content and TTL, SOA MNAME/RNAME/timers), the operator will receive the 
following message:

        The setup of zone <name>.is on its nameservers appears not to be
        according to ISNIC's requirements for .IS delegations.

        Please see requirements [1] for information on these conditions.

        Please make sure that the setup of domain <name>.is is according to
        the above conditions. The domain can be tested [2]

        ISNIC will put on hold domains not fulfilling the delegation
        requirements for extended periods. See article 21 in the .is
        delegation rules. See our rules [3]

        ISNIC will automatically park the domain if it is still non-compliant
        after being on hold due to technical non-compliance for 30 days.

[1]: https://www.isnic.is/en/domain/req
[2]: https://www.isnic.is/en/domain/test?domain=<name>.is
[3]: https://www.isnic.is/en/domain/rules#k6

Best,
Peter

--
https://desec.io/

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to