[sig-policy] prop-038-v001: Amending APNIC's lame DNS reverse delegation

  • To: sig-policy at lists dot apnic dot net
  • Subject: [sig-policy] prop-038-v001: Amending APNIC's lame DNS reverse delegation policy
  • From: Toshiyuki Hosaka <hosaka at nic dot ad dot jp>
  • Date: Mon, 07 Aug 2006 16:14:20 +0900
  • List-archive: <http://www.apnic.net/mailing-lists/sig-policy>
  • List-help: <mailto:sig-policy-request@lists.apnic.net?subject=help>
  • List-id: APNIC SIG on resource management policy <sig-policy.lists.apnic.net>
  • List-post: <mailto:sig-policy@lists.apnic.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=unsubscribe>
  • Organization: Japan Network Information Center (JPNIC)
  • User-agent: Thunderbird 1.5.0.5 (Windows/20060719)
    • 
      The proposal "Amending APNIC's lame DNS reverse delegation policy" has
      been sent to the Policy SIG for review. It will be presented at the
      Policy SIG at APNIC 22 in Kaohsiung, Taiwan, 4-8 September 2006. You are
      invited to review and comment on the proposal on the mailing list before
      the meeting.
      
      The proposal's history can be found at:
      
             http://www.apnic.net/docs/policy/proposals/prop-038-v001.html
      
      Regards,
      
      Toshiyuki Hosaka
      Policy SIG
      hosaka at nic dot ad dot jp
      
      _______________________________________________________________________
      
      prop-038-v001: Amending APNIC's lame DNS reverse delegation policy
      ________________________________________________________________________
      
      Author:      Terry Manderson, APNIC
                   <terry at apnic dot net>
      
      Version:     1
      
      Date:        7 August 2006
      
      
      Introduction
      ------------
      This is a proposal to modify APNIC's existing method for identifying and
      removing lame DNS reverse delegations, by adopting a definition of
      lameness that is consistent with generally-accepted best practice and
      other RIRs (where relevant).
      
      This proposal supersedes the previously adopted proposal, "prop-004-v001:
      A proposal for sweeping lame DNS reverse delegations".
      
      
      Proposal summary
      ----------------
      The APNIC Secretariat will check DNS reverse delegations to ensure that:
      
      - a delegated nameserver provides a valid answer for a SOA record of the
        domain
      - the answer returned is authoritative (AA bit set)
      
      The APNIC Secretariat will monitor all delegated nameservers in all
      relevant zones for lameness by way of UDP DNS query using the checks
      described above. If these checks fail then the delegation will be
      removed from the parent zone after reasonable attempts have been made to
      contact the domain contacts.
      
      
      Situation in other RIRs
      -----------------------
      
      LACNIC
      
      LACNIC is actively monitoring and correcting reverse delegations in its
      region, according to the following test:
      
          "A DNS server registered in LACNIC's system shall be considered to
          have Lame Delegation problems if a query of the SOA record of the
          DNS server does not provide an authoritative answer for said
          record."
      
              http://www.lacnic.net/en/politicas/lame.html
      
      ARIN
      
      ARIN is actively monitoring and correcting reverse delegations in its
      region, according to the following test:
      
          "A name server is tested by asking for data that has to be present
          in a zone, the script requests the SOA resource record. If the name
          server responds with a positive answer and claims to be
          authoritative, the name server is okay for that zone. Any other
          answer indicates that the name server is lame for the tested zone."
      
              http://www.arin.net/reference/lame_delegations.html
      
      RIPE NCC
      
      The RIPE community is currently discussing the issue of monitoring and
      correcting reverse delegations in its region:
      
          http://www.ripe.net/ripe/wg/dns/r52-minutes.html
      
      AfriNIC
      
          No activities or policies on lame delegations have been published by
          AfriNIC.
      
      
      Proposal details
      ----------------
      
      APNIC already has an active lame DNS policy; this proposal is to amend
      the existing policy by adopting a definition of lameness that is
      consistent with generally-accepted best practice and other RIRs.
      
      Under this proposal, a DNS reverse delegation will be considered lame
      if a delegated nameserver for a domain fails to return a valid
      authoritative answer for the domain’s SOA.
      
      Two weeks after EC approval the APNIC Secretariat will apply a reverse
      delegation monitoring procedure which checks that:
      
      - a delegated nameserver of a domain provides a valid answer for the
        SOA record
      - the answer returned is authoritative (AA bit set)
      
      The data in the SOA will not be checked for consistency between
      nameservers (that is, the zone serial will not be checked to see if it
      is synchronised with other nameservers).
      
      Once the delegation has been identified as lame, the Secretariat will
      follow a procedure which includes:
      
      - confirming the delegation is lame
      - making reasonable attempts to contact the domain contacts
      
      This operational procedure will be posted on the APNIC website prior to
      implementation and updated by the APNIC Secretariat as required.
      
      Once the delegation has been removed it can only be re-enabled by an
      authorised resource holder.
      
      
      Advantages and disadvantages of adopting the proposed policy
      ------------------------------------------------------------
      
      This policy brings APNIC in line with the majority of other RIRs on the
      view of lame DNS and what is currently considered best practice.
      
      
      Effect on APNIC members
      -----------------------
      
      Members will not see any adverse effects of this policy.
      
      
      Effect on NIRs
      --------------
      
      NIRs may need to consider their current mechanisms for maintaining and
      checking DNS delegations.
      
      
      References
      ----------
      
      APNIC, A proposal for sweeping lame DNS reverse delegations
          http://www.apnic.net/docs/policy/proposals/prop-004-v001.html