CircleID

ICANN's Security and Stability Advisory Committee (SECSAC) recently released some recommendations regarding the DNS infrastructure, specifying among other things, that sub-zone delegation be kept up-to-date.

"A zone and its parent must work together to ensure the parent always has the correct referral information and the parent must update the referral information upon request in a timely fashion."

Translation: TLD operators need to work with ICANN to clean up their lame delegations.

The SECSAC report doesn't mention, but I believe is trying to address, is the alarming fact that nearly 10% of the name servers listed in the root zone are lame, either they aren't authoritative for the zones they are supposed to be, or they are unreachable much of the time.

Discussions of the matter on the DNSOP mailing list seem to indicate that this problem cannot be fixed by ICANN alone, but that the TLD registry operators must be more proactive in ensuring their root-listed name servers are kept in order.

Another potential problem that appears is the root-listed name server records not agreeing with the in-zone name server records. The TLD operators should be conscious of any variance and impact.

The problem of recursion, which is not mentioned in the SECSAC recommendations, also looms large. Many of the root-listed name servers have recursion enabled, which makes them more vulnerable to cache-poisoning attacks.

The complete report is available here. The detection of delegation problem with TLDs has been made easier, as daily reports for ccTLDs and gTLDs are being made available to diagnosis such matters.

Written by Mark Foster, System Administrator

Related topics: DNS, Domain Registries, Security, Top-Level Domains