ICANN/DNSO
DNSO Mailling lists archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Re: ICANN & Stability


On Wed, 18 Sep 2002, Alexander Svensson wrote:

> This standoff is painted a bit too dramatic by both sides.

I disagree; I find this issue to be extremely important from several
points of view.  ICANN's claims are technically incorrect and represent an
unwarranted expansion of its scope of authority (and are also based on
what I believe is rather unwarranted historical exgesis.)  And the way
that ICANN decreed these conditions lacks procedural integrity and
propriety.

On a technical basis, the information obtained by a zone transfer is
neither necessary nor sufficient to do a proper check of the quality of a
delegation.

A zone transfer is not necessary because all of the information that is
required to do a quality check can be obtained through the use of far less
intrusive (and less voluminous) standard DNS queries (using standard
tools like "dig").

A zone transfer is not sufficient because from the zone file alone it is
impossible to tell whether some of the servers are lame, (i.e. there is a
delegation/NS record in the parent/root zone but the server itself doesn't
realize that it is supposed to be authoritative for the delegated zone.)  
This latter information, which is *not* present in the zone file, and thus
not visible to one who relies on a zone transfer, is completely visible
using standard DNS non-zone-transfer queries (and standard tools, like
"dig").

Take a look at Patrik Falstrom's delegation checker -
http://www.paf.se/domain/ - for a tool that does a reasonable set of
validity checks using quite routine tools and without doing a zone
transfer.

ICANN should not be in the business of checking that other items in a
zone, i.e.  items not related to the delegation linkage itself, are
correct - that is the responsibility of the zone operator.  ICANN's
responsibility is merely to ensure that the linkage from its root zone to
TLDs is solid.  Tools like those from Mice-n-Men and elsewhere (e.g.
"dnswalk") are appropriate for those who wish to test that other data in
the privacy of their own computers.

If ICANN's fears were real and even if a zone-transfer based evaluation
could form the basis of an adequate check, then a check at
delegation-update time would be far to infrequent.

However, the more focused, more accurate, more lightweight, and less
intrusive tests represented by Falstron's checker could easily be
performed once every day for every delegation.

		--karl--



--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>