[dns-wg] NCC reverse delegation criteria
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] NCC reverse delegation criteria
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Shane Kerr
shane at time-travellers.org
Mon Jun 10 17:35:15 CEST 2019
Måns, Speaking mostly as myself, except where indicated below.... On 10/06/2019 09.22, Måns Nilsson wrote: > Recently, a discussion regarding the checks performed by the NCC before > reverse delegation is made came up on the members-discuss list. It was > concluded that this should be discussed here rather than there. > > The members archive might not be available to all, so I'll try to > summarize. Please add your take on summary if you find mine lacking. > > The questioned practice was that the NCC rejects the delegation request > if the target server is found to be an open recursor. > > Some participants argued that this is not a technical problem, and some > said yes it is. In almost all cases, running an open resolver indicates a bad configuration. I'm actually having a hard time imagining a case where someone actually wants to run authoritative reverse DNS on the same server as a public DNS resolver. (I can imagine wanting to run an authoritative reverse DNS server on the same server as a _private_ DNS resolver, for split horizon reasons. I think that is a bad idea, but at least it makes some sense for some setups.) > Some held that the NCC has no authority blocking a request, but it was > argued that every delegation is subject to RFC 1591 responsibilites. The RIPE NCC runs the parent zone for reverse DNS in its service region, so as I understand it has complete authority to decide what is a valid delegation or not. I am not aware of any laws requiring that Dutch membership-based organizations add specific delegations to particular zones, and I do not know what else would limit the authority of the RIPE NCC to manage the parent zone however it wants. <DNS working group co-chair hat on> The good news is that as a member of the RIPE community, you and all of the rest of us have a chance to shape the policy here. If we think that we need a RIPE policy or other RIPE community recommendation to the RIPE NCC regarding delegation to open resolvers, we have a policy process we can follow to make one. <DNS working group co-chair hat off/> Personally I think that it is unlikely that the RIPE DNS working group would recommend that the RIPE NCC delegate to open resolvers, but I am often wrong. > For starters, are the delegation requirements described somewhere? This particular test case is described here: https://github.com/zonemaster/zonemaster/blob/master/docs/specifications/tests/Nameserver-TP/nameserver01.md I don't know how much modification the RIPE NCC has made from the standard Zonemaster configuration, but at least in the default setup this particular check is made. Cheers, -- Shane
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] NCC reverse delegation criteria
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]