ARIN-PPML Message

[arin-ppml] New Version of ARIN-prop-126: Compliance Requirement

On Feb 16, 2011, at 5:58 PM, David Farmer wrote:

> On 2/16/11 11:38 CST, Owen DeLong wrote:
>> 
>> On Feb 16, 2011, at 8:47 AM, David Farmer wrote:
>> 
>>> I support the the intended result of this proposal and this is text is an improvement.  However, I have a problem with the removal of DNS service without some kind of signal to third parties.
>>> 
>>> As a third party under this proposal all I see is reverse DNS breaking and have no clue why.  Is it an action by ARIN, a lame delegation, a temporary problem of some other kind.
>>> 
>> That's true in any resource revocation today, so, I'm not sure what you perceive as different.
> 
> The resource is removed from Whois when it is revoked.
> 
>> It isn't a lame delegation because there are no NS records to be lame.
>> 
>> You see that there are no NS records, you can be reasonably certain it is action by ARIN, no?
> 
> OK, when ARIN suspends DNS service it removes the nameserver record in the Whois entry, that works for me.  When I read suspend DNS, I was think only breaking the glue records, as long as the Whois nameserver records are removed too, then we are good.
> 
There shouldn't be glue records in in-addr.arpa. I do not believe that any nameservers in in-addr.arpa
are known as, for example:

10.159.192.in-addr.arpa.	IN	NS	ns.10.159.192.in-addr.arpa.

ns.10.159.192.in-addr.arpa	IN	A	192.159.10.2

To the best of my knowledge, such a construct is not even permitted in the current in-addr process,
so, removing glue would not be possible. Additionally, removing glue wouldn't make sense because
it would only affect name-servers whose A/AAAA records are names within the affected in-addr.arpa zone.
If you don't remove the NS records, you have not suspended DNS.

>>> One option would be some kind of status field associated with the Whois record stating the DNS service is suspended.
>>> 
>> I wouldn't oppose this, but, that's an operational matter ARIN can choose to implement, not really a policy issue.
>> 
>>> Another option, could be to change the DNS pointer records in Whois and the production DNS, referring to a DNS service operated by ARIN for suspended DNS.  Maybe with a wildcard returning "Suspended.DNS.ARIN.net" as the PTR record for all recursive look-ups for resources that have the DNS suspended.  This provides in-band feed back and feedback through Whois in the nameserver field.
>>> 
>> I think this is a very bad idea.
>> 
>> Turning off DNS is one thing. Hijacking it is another. A similar tactic was tried by Network Solutions
>> once upon a time to make revenue out of typos. It was not well liked by the community.
> 
> Yea, after thinking about it more that's not a good idea at all.
> 
:)

>>> A final option, ARIN could simply publish a list of resource for which it has suspended DNS.  This is my least preferred option, it is out-of band and I have to go look someplace else then Whois.  But it might be a good stop-gap solution allowing ARIN time to implement one or both of the above solutions.
>>> 
>> I wouldn't oppose this, but, again, it's an operational matter.
>> 
>>> Breaking DNS in a way that is invisible to third parties is not good operational practice.  In this case the cure might be worse then the disease.  So find a way to operationally signal that DNS has been suspended then I'll support the proposal.  This might not require any change to the policy text itself, this may simply need to be an implementation note in the rationale.
>>> 
>> How is a lack of NS records invisible to third parties? I must be missing something in your thinking process
>> here.
> 
> I was missing the idea that the nameserver record would be removed and part of suspending DNS service.  And yes it is an operational matter, but it does matter.
> 
Of course it matters. See above. It hadn't occurred to me that there was any other way to discontinue
DNS service and I still think there is not.

> Maybe that could be noted in the rational that the Whois nameserver record should be cleared as part of suspending DNS service.
> 
Assuming you mean the rationale, I don't think that the WHOIS nameserver record should be modified. I think that the DNS NS record should be temporarily removed until such time as a final resolution is achieved. At that time, either the entire whois record is removed, or, the NS records are restored (based on the whois data) or new NS records are inserted (based on an update which should also be applied to the whois record).

Owen

> 
> -- 
> ===============================================
> David Farmer               Email:farmer at umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota	
> 2218 University Ave SE	    Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================