[87931] in North American Network Operators' Group
Re: AW: Odd policy question.
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sun Jan 15 01:30:19 2006
To: "Jeffrey I. Schiller" <jis@MIT.EDU>
Cc: Randy Bush <randy@psg.com>, nanog@merit.edu
In-Reply-To: Your message of "Sat, 14 Jan 2006 17:06:20 EST."
<43C975DC.3000008@mit.edu>
From: Valdis.Kletnieks@vt.edu
Date: Sun, 15 Jan 2006 01:29:47 -0500
Errors-To: owner-nanog@merit.edu
--==_Exmh_1137306587_4364P
Content-Type: text/plain; charset=us-ascii
On Sat, 14 Jan 2006 17:06:20 EST, "Jeffrey I. Schiller" said:
> Foolish me. Indeed all that is required is a way to detect that the
> delegation is lame (hopefully in a secure fashion) and remove the lame
> delegations. Of course that does leave the problem of what to do if all
> of the delegations are lame, as Randy has alluded to.
If all the delegations are totally lame, then as a *practical* matter the
domain is borked anyhow - the only information lost if you simply nuke the
whole thing is the SOA (and several incorrect NS records).
At one time, I would have suggested trying to contact the entity specified
on the SOA. But these days, I'm tempted to say that if they can't get *one*
NS pointing at something that will answer, they don't deserve a domain at all...
(As noted, there *is* an interesting security exposure if an attacker can force
an NS to be reported as lame. On the other hand, the current state of security
at most DNS registrars seems to imply that the DNS domain holders don't really
care about security anyhow.. ;)
--==_Exmh_1137306587_4364P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFDyevbcC3lWbTT17ARAnU6AKDmg08HPEjhG/qLyy5UTD4Fy4njJgCg5kne
7FxG6z+fOh1qR6BQkaYK+bU=
=igZ8
-----END PGP SIGNATURE-----
--==_Exmh_1137306587_4364P--
