ietf
[Top] [All Lists]

Re: Deployment of standards compliant nameservers

2013-05-22 18:42:52

In message 
<6(_dot_)2(_dot_)5(_dot_)6(_dot_)2(_dot_)20130522123025(_dot_)0b3efed0(_at_)resistor(_dot_)net>,
 SM writes:
At 05:56 22-05-2013, Moriarty, Kathleen wrote:
providers.  While tying this to contracts seems like a good idea, 
that is out of our hands at the IETF.  If we went down the path of 
enforcement through contracts, I wouldn't view this as picking 
fights, but rather a proactive service to 'help' customers.  Having
 said that, I think if we can improve the applications that 
generate their DNS files, it would be more effective long 
term.  While some teams are technical enough to validate their own 
DNS, others prefer more full service applications.

Maybe a review of existing applications would be helpful for the 
community?  I just see the following on Wikipedia:
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
and
http://en.wikipedia.org/wiki/DNS_management_software

How about adding a column for compliance to RFCs?  Or a description 
that makes people

RFC 1035 is updated by 24 RFCs.  There are a few errata which has 
been filed.  The topic says "standards complaint".  Which standard(s) 
does that refer to?  I read "compliance to RFCs", which RFCs does the 
implementation have to comply with?
 
RFC 1034 and RFC 1035 I've tried to capture the reason why I started
this thread in:
http://tools.ietf.org/html/draft-andrews-dns-no-response-issue-01

Basically nameservers are supposed to reply to queries directed at
them.  RFC 1034 and RFC 1035 have enough error codes that you
should be able to reply to every query sent to them.   You don't
have to return the data.  You don't even have to understand the
query.  You do have to respond.

So if the message is 12 octets or bigger and the QR bit is set to
1 you should be able to respond.  RFC 1034 and RFC 1035 have a
response code for *every* possible message you receive.

It has been mentioned [1] on this mailing list that:

   "But there was no energy to get the work done and the drafts languished
    for months without any changes.  It still seems a worthwhile project,
    but there is no evidence that we have a population interested enough
    to do the work."

If the IETF discusses about contracts the discussion will evolve into 
turf wars (an acrimonious dispute between rival groups over territory 
or a particular sphere of influence).  The interesting point in the 
message (quoted above) is about providing information so that people 
can assess what's good or bad.  In my opinion it's doable (note that 
I am leaving out a few minor details :-)).

At 07:00 22-05-2013, John C Klensin wrote:
I wouldn't suggest trying to mandate anything top-down.  If
nothing else, ICANN's track record for being able to enforce its
mandates is very poor (and that is arguably a good thing).  On

:-)

the other, we talk a lot about reputations and the advantages of
end sites being able to base policies on them.   If whatever the
actual restrictions that, according to Stephane, forbid TLDs
from imposing "we require you to have a competent nameserver and
will test" were removed then, especially with the coming huge
increase in TLDs, it would make it possible for registries to
compete on the degree to which they wanted to offer assurances
of quality DNS servers and services in subsidiary zones.

Yes.  I gather that domain name are registered to advertise services 
and that these services rely on working nameservers.

I was reading the following [2] (the reader is cautioned against 
drawing hasty conclusions):

   "AFNIC (The sole registrar of .fr domains) does not follow the 
ICANN policies
    for name server queries."

Here's a gem:

   "Other registrars are fully able to query our name servers on TCP port 43
   (the ICANN required port)."

Nameservers hosting Icelandic domains (.IS domains) must comply with 
requirements [3].

More reading [4]:

   "The .DE registry has certain requirements for nameservers that 
can be applied
    to .DE domains. Some of those requirements are that the 
nameserver IP addresses
    must be in separate class C networks, and that the nameserver 
must provide SOA."

For .NL domains, the nameservers must comply with the registry 
requirements [5].

People put more effort and money in trademarking strings than making 
the strings work.

Regards,
-sm

1. http://www.ietf.org/mail-archive/web/ietf/current/msg79409.html
2. https://my.bluehost.com/cgi/help/536
3. http://www.isnic.is/en/host/req
4. http://www.namecheap.com/support/knowledgebase/article.aspx/294/
5. http://www.opensrs.com/docs/opensrsrwi/nl_dns_requirements.htm 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org