[arin-ppml] New Version of ARIN-prop-126: Compliance Requirement

Owen DeLong owen at delong.com
Wed Feb 16 12:38:52 EST 2011 

On Feb 16, 2011, at 8:47 AM, David Farmer wrote:

> I support the the intended result of this proposal and this is text is an improvement.  However, I have a problem with the removal of DNS service without some kind of signal to third parties.
> 
> As a third party under this proposal all I see is reverse DNS breaking and have no clue why.  Is it an action by ARIN, a lame delegation, a temporary problem of some other kind.
> 
That's true in any resource revocation today, so, I'm not sure what you perceive as different.

It isn't a lame delegation because there are no NS records to be lame.

You see that there are no NS records, you can be reasonably certain it is action by ARIN, no?

> One option would be some kind of status field associated with the Whois record stating the DNS service is suspended.
> 
I wouldn't oppose this, but, that's an operational matter ARIN can choose to implement, not really a policy issue.

> Another option, could be to change the DNS pointer records in Whois and the production DNS, referring to a DNS service operated by ARIN for suspended DNS.  Maybe with a wildcard returning "Suspended.DNS.ARIN.net" as the PTR record for all recursive look-ups for resources that have the DNS suspended.  This provides in-band feed back and feedback through Whois in the nameserver field.
> 
I think this is a very bad idea.

Turning off DNS is one thing. Hijacking it is another. A similar tactic was tried by Network Solutions
once upon a time to make revenue out of typos. It was not well liked by the community.

> A final option, ARIN could simply publish a list of resource for which it has suspended DNS.  This is my least preferred option, it is out-of band and I have to go look someplace else then Whois.  But it might be a good stop-gap solution allowing ARIN time to implement one or both of the above solutions.
> 
I wouldn't oppose this, but, again, it's an operational matter.

> Breaking DNS in a way that is invisible to third parties is not good operational practice.  In this case the cure might be worse then the disease.  So find a way to operationally signal that DNS has been suspended then I'll support the proposal.  This might not require any change to the policy text itself, this may simply need to be an implementation note in the rationale.
> 
How is a lack of NS records invisible to third parties? I must be missing something in your thinking process
here.

Owen

> On 2/16/11 09:34 CST, Chris Grundemann wrote:
>> Hail PPML!
>> 
>> I am the primary AC shepherd for ARIN-prop-126: Compliance Requirement
>> and I would like to hear your comments and feedback on this new
>> version of the proposal (included below). If the community is happy
>> with this text; I will take the necessary steps as shepherd to advance
>> it to the next stage of the process, which would be getting the AC to
>> promote it to a draft policy (https://www.arin.net/policy/pdp.html).
>> 
>> One thing to note: This proposal updates existing policy and as such
>> not all of the text is new or a change. Please review the current
>> policy language when evaluating this proposal:
>> https://www.arin.net/policy/nrpm.html#twelve.
>> 
>> Thanks in advance for your input!
>> 
>> Cheers,
>> ~Chris
>> 
>> ####
>> 
>> ARIN-prop-126: Compliance Requirement
>> 
>> Proposal Originator: Marla Azinger
>> 
>> Proposal Version: 2
>> 
>> Date: 16 February 2011
>> 
>> Proposal type: new
>> 
>> Policy term: permanent
>> 
>> Policy statement:
>> 
>> Resource Review
>> Update the following NRPM Sections:
>> 
>> 12.4 - Update to: Organizations found by ARIN to be out of compliance
>> with current ARIN policy shall be required to update reassignment
>> information or return resources as needed to bring them into (or
>> reasonably close to) compliance.
>> 
>> 1. The degree to which an organization may remain out of compliance
>> shall be based on the reasonable judgment of the ARIN staff and shall
>> balance all facts known, including the organization's utilization
>> rate, available address pool, and other factors as appropriate so as
>> to avoid forcing returns which will result in near-term additional
>> requests or unnecessary route de-aggregation.
>> 2. To the extent possible, entire blocks should be returned. Partial
>> address blocks shall be returned in such a way that the portion
>> retained will comprise a single aggregate block.
>> 
>> (leave 12.5 as is)
>> 
>> 12.6 - Update to: Except in cases of fraud, an organization shall be
>> given a minimum of thirty (30) days to respond. If an organization
>> does not respond within those thirty (30) days, ARIN may cease
>> providing reverse DNS services to that organization. If progress of
>> resource returns or record corrections is not visible within sixty
>> (60) days after correspondence with ARIN began, ARIN will cease
>> providing reverse DNS services for the resources in question. At any
>> time after ninety (90) days have passed, ARIN may initiate resource
>> revocation as allowed in paragraph 12.5. ARIN shall negotiate a longer
>> term with the organization if ARIN believes the organization is
>> working in good faith to substantially restore compliance and has a
>> valid need for additional time to renumber out of the affected blocks.
>> 
>> Rationale:
>> 
>> Version 2 addresses several staff and legal concerns with the original
>> text of this policy by clarifying the language and making it more
>> concrete.
>> 
>> To date the community has not documented or firmly established use of
>> an effective enforcement mechanism. This policy will support current
>> policy and compel those who are allocated ARIN resources to maintain
>> the proper WHOIS records in accordance with ARIN NRPM. While it is
>> recognized this is not an absolute solution to ensure compliance, it
>> is the best method under current ARIN policies.
>> 
>> Timetable for implementation: Immediate
>> _______________________________________________
>> PPML
>> You are receiving this message because you are subscribed to
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-ppml
>> Please contact info at arin.net if you experience any issues.
> 
> 
> -- 
> ===============================================
> David Farmer               Email:farmer at umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota	
> 2218 University Ave SE	    Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.

More information about the ARIN-PPML mailing list