This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] NCC reverse delegation criteria
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] NCC reverse delegation criteria
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Tue Jun 11 19:15:47 CEST 2019
> On 11 Jun 2019, at 17:28, Jonas Frey <jf at probe-networks.de> wrote: > > As previously noted most (if not all) ccTLD registrys do not block when > a open recursor is found. (C/N/O: Verisign pass, EU EURID: pass, DE DE- > NIC: pass with warn). > Now that these ccTLDs deal with *alot* more nameservers than RIPE > (probably), why would it make sense for RIPE to force a block of them? With the exception of gTLDs who pretty much have to do what ICANN tells them, registries are free to make their own policies on delegation. If the RIPE community wants a more restrictive or liberal delegation policy for reverse zones than some other registry, that is perfectly fine. The community decides. And what’s “right” for one registry isn’t necessarily right for another. It’s not a question of how many/few nameservers a registry might need to check. That’s (mostly unimportant) implementation detail. > IMO: if the open resolver+auth. resolver is considered a bad setup (for > operational reasons/resilience or whatever) then that should be left up > to the company running it (as possible impact is limited to that - > besides amplification). Nope. There are other much more unpleasant impacts: consider cache poisoning. If your authoritative server also handles arbitrary recursive queries, I can make your name server query my DNS server which tells lies. Unless your server does DNSSEC validation, it will then spread these lies for me. Thanks! Worst case, I might even be able to hijack your authoritative domains by injecting new glue records for those domains into your server’s cache. That said, I’m usually not in favour of preventing people or companies from doing stupid things - like intermingling recursive and authoritative DNS servers. [Darwinism will always win in the end.] I can get paid $$$$ to fix these broken setups. :-) But more importantly, people tend to learn best from their mistakes because they then make sure they don’t repeat them. As someone once said “The IETF is not in the business of hanging people. But it does provide plenty of rope.”. I think those comments apply very well here too. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 528 bytes Desc: Message signed with OpenPGP URL: </ripe/mail/archives/dns-wg/attachments/20190611/780bd031/attachment.sig>
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] NCC reverse delegation criteria
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]