[dns-wg] RIPE NCC's reverse DNS delegation process and stats

Dear colleagues,

As requested, here is some information about the reverse DNS delegation
process applied by the RIPE NCC.

We perform pre-delegation checks with a local instance of Zonemaster,
which is DNS delegation testing software that was developed by AFNIC and
IIS. The software performs the following tests:
https://github.com/zonemaster/zonemaster/tree/master/docs/specifications/tests


Test results are classified into one of five levels of severity: INFO,
NOTICE, WARNING, ERROR, or CRITICAL. This classification is governed by
a policy, and ours follows the default Zonemaster profile here:
https://github.com/zonemaster/zonemaster-engine/blob/master/share/profile.json

According to this policy, a name server offering recursion is classified
as ERROR. When we perform pre-delegation tests, the request is rejected
if any of the test results are classified at the ERROR or CRITICAL levels.

We have the results of pre-delegation tests going back to 30 June 2017.
Between then and now, we rejected 5,125 delegation requests for 1,833
zones because at least one of the name servers of a zone was an open
recursor. It's worth noting that these requests may have been rejected
for other reasons in addition to this one, and there were multiple
requests for some zones, which accounts for the imbalance between the
two numbers.

Finally, before Zonemaster we used software called DNScheck, which was
developed by IIS. This also checked for open recursive name servers and
classified this condition as an error.

Regards,
Anand Buddhdev
RIPE NCC