|
ICANN’s Security and Stability Advisory Committee (SECSAC) recently released some recommendations regarding the DNS infrastructure, specifying among other things, that sub-zone delegation be kept up-to-date.
“A zone and its parent must work together to ensure the parent always has the correct referral information and the parent must update the referral information upon request in a timely fashion.”
Translation: TLD operators need to work with ICANN to clean up their lame delegations.
The SECSAC report doesn’t mention, but I believe is trying to address, is the alarming fact that nearly 10% of the name servers listed in the root zone are lame, either they aren’t authoritative for the zones they are supposed to be, or they are unreachable much of the time.
Discussions of the matter on the DNSOP mailing list seem to indicate that this problem cannot be fixed by ICANN alone, but that the TLD registry operators must be more proactive in ensuring their root-listed name servers are kept in order.
Another potential problem that appears is the root-listed name server records not agreeing with the in-zone name server records. The TLD operators should be conscious of any variance and impact.
The problem of recursion, which is not mentioned in the SECSAC recommendations, also looms large. Many of the root-listed name servers have recursion enabled, which makes them more vulnerable to cache-poisoning attacks.
The complete report is available here. The detection of delegation problem with TLDs has been made easier, as daily reports for ccTLDs and gTLDs are being made available to diagnosis such matters.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign
It isn’t all that hard to do a lame check - Go to http://dnscheck.se and run it.
The code is in perl and easily downloaded.
It would take ICANN only a couple of minutes to create a script that would do this check on every TLD every day and post the results onto a set of web pages.
Recursion can be present with some of the earlier experimental IDN solutions that sent binary on the wire (circa 1998-2000), yet it largely is present as a legacy issue, where servers require updates to their software and / or configuration.
I ran root-listed nameservers for more than 8 years on 4 ccTLDs, and can say that there was little value to allowing recursion.