As an American, I could go for the ignorant stereotyping of the French. But being the good global citizen I try to be, I'll just see if someone can tell me if I'm missing something here, or if indeed AFNIC has lost its mind.
I recently requested for one of my .FR domains to be delegated to new DNS servers. I got everything set up at my new DNS provider. But, AFNIC won't perform the transfer because of the following "fatal" reason:
> ---- fatal ----
> Server doesn't listen/answer on port 53 for TCP protocol Ref: IETF RFC1035
> (p.32 4.2. Transport)
> The DNS assumes that messages will be transmitted as datagrams or in a byte
> stream carried by a virtual circuit. While virtual circuits can be used for
> any DNS activity, datagrams are preferred for queries due to their lower
> overhead and better performance.
In actuality, their error statement is not true. The primary/master server does listen/answer to TCP Port 53, just not to AFNIC's DNS servers, or anyone else's servers for that matter.
TCP Port 53 is used for zone transfers (as indicated in RFC1035). Nowhere in the RFC does it say that any DNS servers outside of the secondary/slave servers must have access to the Primary/Master server via that port. My provider has it set up that if you are not one of their slave servers, you don't get to access their DNS servers via TCP port 53. Last time I checked, that's called good and appropriate security.
None of the DNS servers at AFNIC are or will be authoritative for this domain. So why does AFNIC think that they have the right to usurp every DNS provider's security so that they can grab a zone file?
My Registrar called AFNIC asking for their logic. They said something along the lines of "We need to check the zone file for errors. If you drop the security and let us do the zone transfer, you can then re-start that security rule and everything will be okay."
Being that AFNIC grabs the SOA record at the new DNS servers, they should be able to ascertain the validity of the zone file.
I know of no other Registry on the planet that requires zone file transfers to be allowed to non-authoritative names servers as a basis of compliance. Essentially, as a Registrant, I am being held hostage by this registry because of my unwillingness to drop security precautions.
Can anyone give me any logic that would give the people in France the thought that what they're doing is correct?
I'm at a loss, both because I can't understand their logic (or lack thereof) and the fact that I may have to steer my .FR domains away from my preferred DNS provider.
Tres stupide, if you ask me.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Minds + Machines
Neustar DDoS Protection