[30596] in North American Network Operators' Group
Re: lame delegations
daemon@ATHENA.MIT.EDU (Derek J. Balling)
Fri Aug 18 15:14:20 2000
Mime-Version: 1.0
Message-Id: <p04320406b5c33a56aefb@[206.132.89.194]>
In-Reply-To: <200008181856.OAA10267@Iodine.Mlink.NET>
Date: Fri, 18 Aug 2000 12:12:17 -0700
To: Phillip Vandry <vandry@Mlink.NET>,
Joshua Goodall <joshua@roughtrade.net>
From: "Derek J. Balling" <dredd@megacity.org>
Cc: nanog@merit.edu, lir-wg@ripe.net
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Errors-To: owner-nanog-outgoing@merit.edu
that's great at creation time, but what about when Customer-A leaves
ISP-A to go to ISP-B, but doesn't bring his host records along with
him?
ISP-A needs the ability to say "Attention $REGISTRAR, $HOSTNAME is no
longer valid, as evidenced by the current lack of a PTR record.
Please remove it".
The lack of a PTR record covers the case where PTR and host-record
may not match so someone impersonates ISP-A asking the host name be
destroyed. The PTR record has to completely not exist.
Of course, this is a great idea, but can we actually get it
implemented by the relevant agencies? ;-)
D
At 2:56 PM -0400 8/18/00, Phillip Vandry wrote:
>Why not this?
>
>Registrars only accept to create a glue record if there already exists
>a PTR entry for the requested address that points to the right name.
>
>-Phil
>
>> I suspect that solving this correctly would depend on the ICANN DNSO
>> recognising the authentication mechanisms of the databases of the RIR's
>> under the ICANN ASO (RIPE, ARIN, APNIC).
>>
>> Unfortunately, no-one thought of this problem when they let registrars
>> inject host records. The only way to verify automatically that a host
>> record is allowed from a given netblock is to use the same authentication
> > mechanisms that (say) RIPE do for reverse delegations.
