Home / Blogs

TLD Operators: Cleaning Up Lame Delegations

Mark Foster

ICANN's Security and Stability Advisory Committee (SECSAC) recently released some recommendations regarding the DNS infrastructure, specifying among other things, that sub-zone delegation be kept up-to-date.

"A zone and its parent must work together to ensure the parent always has the correct referral information and the parent must update the referral information upon request in a timely fashion."

Translation: TLD operators need to work with ICANN to clean up their lame delegations.

The SECSAC report doesn't mention, but I believe is trying to address, is the alarming fact that nearly 10% of the name servers listed in the root zone are lame, either they aren't authoritative for the zones they are supposed to be, or they are unreachable much of the time.

Discussions of the matter on the DNSOP mailing list seem to indicate that this problem cannot be fixed by ICANN alone, but that the TLD registry operators must be more proactive in ensuring their root-listed name servers are kept in order.

Another potential problem that appears is the root-listed name server records not agreeing with the in-zone name server records. The TLD operators should be conscious of any variance and impact.

The problem of recursion, which is not mentioned in the SECSAC recommendations, also looms large. Many of the root-listed name servers have recursion enabled, which makes them more vulnerable to cache-poisoning attacks.

The complete report is available here. The detection of delegation problem with TLDs has been made easier, as daily reports for ccTLDs and gTLDs are being made available to diagnosis such matters.

By Mark Foster, System Administrator
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: TLD Operators: Cleaning Up Lame Delegations Karl Auerbach  –  Jan 15, 2004 12:00 PM PDT

It isn't all that hard to do a lame check - Go to http://dnscheck.se and run it.

The code is in perl and easily downloaded.

It would take ICANN only a couple of minutes to create a script that would do this check on every TLD every day and post the results onto a set of web pages.

Re: TLD Operators: Cleaning Up Lame Delegations Jothan  –  Jan 23, 2004 11:34 AM PDT

Recursion can be present with some of the earlier experimental IDN solutions that sent binary on the wire (circa 1998-2000), yet it largely is present as a legacy issue, where servers require updates to their software and / or configuration.

I ran root-listed nameservers for more than 8 years on 4 ccTLDs, and can say that there was little value to allowing recursion.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign