Måns, Speaking mostly as myself, except where indicated below.... On 10/06/2019 09.22, Måns Nilsson wrote:
Recently, a discussion regarding the checks performed by the NCC before reverse delegation is made came up on the members-discuss list. It was concluded that this should be discussed here rather than there.
The members archive might not be available to all, so I'll try to summarize. Please add your take on summary if you find mine lacking.
The questioned practice was that the NCC rejects the delegation request if the target server is found to be an open recursor.
Some participants argued that this is not a technical problem, and some said yes it is.
In almost all cases, running an open resolver indicates a bad configuration. I'm actually having a hard time imagining a case where someone actually wants to run authoritative reverse DNS on the same server as a public DNS resolver. (I can imagine wanting to run an authoritative reverse DNS server on the same server as a _private_ DNS resolver, for split horizon reasons. I think that is a bad idea, but at least it makes some sense for some setups.)
Some held that the NCC has no authority blocking a request, but it was argued that every delegation is subject to RFC 1591 responsibilites.
The RIPE NCC runs the parent zone for reverse DNS in its service region, so as I understand it has complete authority to decide what is a valid delegation or not. I am not aware of any laws requiring that Dutch membership-based organizations add specific delegations to particular zones, and I do not know what else would limit the authority of the RIPE NCC to manage the parent zone however it wants. <DNS working group co-chair hat on> The good news is that as a member of the RIPE community, you and all of the rest of us have a chance to shape the policy here. If we think that we need a RIPE policy or other RIPE community recommendation to the RIPE NCC regarding delegation to open resolvers, we have a policy process we can follow to make one. <DNS working group co-chair hat off/> Personally I think that it is unlikely that the RIPE DNS working group would recommend that the RIPE NCC delegate to open resolvers, but I am often wrong.
For starters, are the delegation requirements described somewhere?
This particular test case is described here: https://github.com/zonemaster/zonemaster/blob/master/docs/specifications/tes... I don't know how much modification the RIPE NCC has made from the standard Zonemaster configuration, but at least in the default setup this particular check is made. Cheers, -- Shane