On May 22, 2013, at 3:10 PM, John C Klensin <john-ietf(_at_)jck(_dot_)com>
wrote:
--On Tuesday, May 21, 2013 11:07 +0200 Stephane Bortzmeyer
<bortzmeyer(_at_)nic(_dot_)fr> wrote:
...
Although these tests certainly contributed to the good
technical quality of the name servers, they were removed both
for commercial reasons (a registry has to make money to pay
its employees) and because it was easier to have the same
rules for ccTLDs and gTLDs (and ICANN forbids these technical
tests in gTLDs).
Occasional fantasies about IETF enforcement power and the
Protocol Police notwithstanding, it seems to me that, if one
wanted to require standards-conforming nameservers, the most
(and maybe only) effective way to do that would be requirements
in the contractual agreements between TLD registries and their
registrants. Recursively applying requirements down the tree is
not a new idea; RFC 1591 uses that language more than once.
We should be careful about requiring things like this (for whatever value of
"we"). Recursively applying requirements means that "we" are requiring service
providers (in this case registries) to pick fights with their customers. So
instead of having an IETF protocol police, "we" expect service providers to act
as local sheriffs.
It's not that service providers would never do this. There is some success in
getting ISPs to shut down spammers, but they are likely to cooperate when the
actions of the offenders are likely to damage either the service provider's
infrastructure, or harm other customers. This is not the case here. A DNS
server that ignores unknown record types does not hurt anyone who only queries
for A and AAAA records. And MX. It hurts people who try to deploy new record
types, so for now, it hurts experiments. It reduces the likelihood of a major
browser deploying a version with DANE enabled by default. This is definitely
harm, but beating one bad server into compliance does not fix the problem.
So "we" would be asking service providers to take a step with positive costs
(periodically testing servers, contacting customers, threatening them, and
following up), all to prevent a kind of harm that would only be prevented if
all other registrars in the world (or at least a vast majority) would do the
same. And if that harm was mitigated, and all the DNS servers in the world were
fixed, hardly anyone would notice.
Seems like a tough sell to me.
Yoav