[arin-ppml] New Version of ARIN-prop-126: Compliance Requirement

David Farmer farmer at umn.edu
Wed Feb 16 20:58:58 EST 2011 

On 2/16/11 11:38 CST, Owen DeLong wrote:
>
> On Feb 16, 2011, at 8:47 AM, David Farmer wrote:
>
>> I support the the intended result of this proposal and this is text is an improvement.  However, I have a problem with the removal of DNS service without some kind of signal to third parties.
>>
>> As a third party under this proposal all I see is reverse DNS breaking and have no clue why.  Is it an action by ARIN, a lame delegation, a temporary problem of some other kind.
>>
> That's true in any resource revocation today, so, I'm not sure what you perceive as different.

The resource is removed from Whois when it is revoked.

> It isn't a lame delegation because there are no NS records to be lame.
>
> You see that there are no NS records, you can be reasonably certain it is action by ARIN, no?

OK, when ARIN suspends DNS service it removes the nameserver record in 
the Whois entry, that works for me.  When I read suspend DNS, I was 
think only breaking the glue records, as long as the Whois nameserver 
records are removed too, then we are good.

>> One option would be some kind of status field associated with the Whois record stating the DNS service is suspended.
>>
> I wouldn't oppose this, but, that's an operational matter ARIN can choose to implement, not really a policy issue.
>
>> Another option, could be to change the DNS pointer records in Whois and the production DNS, referring to a DNS service operated by ARIN for suspended DNS.  Maybe with a wildcard returning "Suspended.DNS.ARIN.net" as the PTR record for all recursive look-ups for resources that have the DNS suspended.  This provides in-band feed back and feedback through Whois in the nameserver field.
>>
> I think this is a very bad idea.
>
> Turning off DNS is one thing. Hijacking it is another. A similar tactic was tried by Network Solutions
> once upon a time to make revenue out of typos. It was not well liked by the community.

Yea, after thinking about it more that's not a good idea at all.

>> A final option, ARIN could simply publish a list of resource for which it has suspended DNS.  This is my least preferred option, it is out-of band and I have to go look someplace else then Whois.  But it might be a good stop-gap solution allowing ARIN time to implement one or both of the above solutions.
>>
> I wouldn't oppose this, but, again, it's an operational matter.
>
>> Breaking DNS in a way that is invisible to third parties is not good operational practice.  In this case the cure might be worse then the disease.  So find a way to operationally signal that DNS has been suspended then I'll support the proposal.  This might not require any change to the policy text itself, this may simply need to be an implementation note in the rationale.
>>
> How is a lack of NS records invisible to third parties? I must be missing something in your thinking process
> here.

I was missing the idea that the nameserver record would be removed and 
part of suspending DNS service.  And yes it is an operational matter, 
but it does matter.

Maybe that could be noted in the rational that the Whois nameserver 
record should be cleared as part of suspending DNS service.


-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota	
2218 University Ave SE	    Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

More information about the ARIN-PPML mailing list