NCC reverse delegation criteria
Recently, a discussion regarding the checks performed by the NCC before reverse delegation is made came up on the members-discuss list. It was concluded that this should be discussed here rather than there. The members archive might not be available to all, so I'll try to summarize. Please add your take on summary if you find mine lacking. The questioned practice was that the NCC rejects the delegation request if the target server is found to be an open recursor. Some participants argued that this is not a technical problem, and some said yes it is. Some held that the NCC has no authority blocking a request, but it was argued that every delegation is subject to RFC 1591 responsibilites. For starters, are the delegation requirements described somewhere? Best regards, -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 In 1962, you could buy a pair of SHARKSKIN SLACKS, with a "Continental Belt," for $10.99!!
First question is (and RIPE should have the data) how many delegations do they reject because the server is an open recursor ? In today's world, I suspect it would be quite low Tim On Mon, Jun 10, 2019 at 3:23 AM Måns Nilsson <mansaxel@besserwisser.org> wrote:
Recently, a discussion regarding the checks performed by the NCC before reverse delegation is made came up on the members-discuss list. It was concluded that this should be discussed here rather than there.
The members archive might not be available to all, so I'll try to summarize. Please add your take on summary if you find mine lacking.
The questioned practice was that the NCC rejects the delegation request if the target server is found to be an open recursor.
Some participants argued that this is not a technical problem, and some said yes it is.
Some held that the NCC has no authority blocking a request, but it was argued that every delegation is subject to RFC 1591 responsibilites.
For starters, are the delegation requirements described somewhere?
Best regards, -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 In 1962, you could buy a pair of SHARKSKIN SLACKS, with a "Continental Belt," for $10.99!!
Dear all, Is a complete overview of the current policy / testing process available? To further this discussion - I think it would be good to have a full understanding of what the current state of affairs is in this context. Kind regards, Job
Måns, Speaking mostly as myself, except where indicated below.... On 10/06/2019 09.22, Måns Nilsson wrote:
Recently, a discussion regarding the checks performed by the NCC before reverse delegation is made came up on the members-discuss list. It was concluded that this should be discussed here rather than there.
The members archive might not be available to all, so I'll try to summarize. Please add your take on summary if you find mine lacking.
The questioned practice was that the NCC rejects the delegation request if the target server is found to be an open recursor.
Some participants argued that this is not a technical problem, and some said yes it is.
In almost all cases, running an open resolver indicates a bad configuration. I'm actually having a hard time imagining a case where someone actually wants to run authoritative reverse DNS on the same server as a public DNS resolver. (I can imagine wanting to run an authoritative reverse DNS server on the same server as a _private_ DNS resolver, for split horizon reasons. I think that is a bad idea, but at least it makes some sense for some setups.)
Some held that the NCC has no authority blocking a request, but it was argued that every delegation is subject to RFC 1591 responsibilites.
The RIPE NCC runs the parent zone for reverse DNS in its service region, so as I understand it has complete authority to decide what is a valid delegation or not. I am not aware of any laws requiring that Dutch membership-based organizations add specific delegations to particular zones, and I do not know what else would limit the authority of the RIPE NCC to manage the parent zone however it wants. <DNS working group co-chair hat on> The good news is that as a member of the RIPE community, you and all of the rest of us have a chance to shape the policy here. If we think that we need a RIPE policy or other RIPE community recommendation to the RIPE NCC regarding delegation to open resolvers, we have a policy process we can follow to make one. <DNS working group co-chair hat off/> Personally I think that it is unlikely that the RIPE DNS working group would recommend that the RIPE NCC delegate to open resolvers, but I am often wrong.
For starters, are the delegation requirements described somewhere?
This particular test case is described here: https://github.com/zonemaster/zonemaster/blob/master/docs/specifications/tes... I don't know how much modification the RIPE NCC has made from the standard Zonemaster configuration, but at least in the default setup this particular check is made. Cheers, -- Shane
Shane Kerr <shane@time-travellers.org> wrote:
The good news is that as a member of the RIPE community, you and all of the rest of us have a chance to shape the policy here. If we think that we need a RIPE policy or other RIPE community recommendation to the RIPE NCC regarding delegation to open resolvers, we have a policy process we can follow to make one.
I couldn't find out how to use the policy process to get RFC 7344 CDS automation in place :-( Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Fair Isle, Faeroes: North or northwest 4 or 5, veering northeast 5 to 7. Moderate or rough, occasionally slight at first in south. Rain or showers. Good, occasionally moderate.
I couldn't find out how to use the policy process to get RFC 7344 CDS automation in place :-(
sounds more like education and engineering than policy. if not the dns wg, where may be lost in the s:n, maybe an ncc services request. randy
On 10 Jun 2019, at 17:04, Randy Bush <randy@psg.com> wrote:
I couldn't find out how to use the policy process to get RFC 7344 CDS automation in place :-(
Tony, all you need to do is write a proposal and post it to dns-wg@ripe.net. I’m sure the WG co-chairs will be happy to advise.
sounds more like education and engineering than policy. if not the dns wg, where may be lost in the s:n, maybe an ncc services request.
I’m not sure Randy. I agree a policy proposal and invoking the PDP might well be overkill. And take forever to complete. However I expect the NCC’s DNS team would be uncomfortable acting on a request from the NCC Services WG to do DNS stuff which hadn’t first been scrutinised or approved by the DNS WG. Another option might be for the NCC’s DNS team to come to the DNS WG with a plan to support RFC7344 and get WG endorsement for that plan*. The same approach could be taken to discontinue delegations to authoritative reverse zone servers that have recursion enabled. This is what we did several years ago when the NCC began to make an orderly exit from providing DNS slave service for TLDs. That was discontinued for the TLDs who could afford to buy that service elsewhere. Anand or Romeo would give an update to the WG on how that was progressing. The DNS WG provided feedback and approval. The NCC Services WG and the PDP weren’t involved. Though in retrospect I think the WG could have documented this better than we did. * A variation on this would be for concerned WG members discuss to this with the NCC’s DNS team, work out the practicalities and develop a plan which then comes to the DNS WG for endorsement.
Tony, On 10/06/2019 17.44, Tony Finch wrote:
Shane Kerr <shane@time-travellers.org> wrote:
The good news is that as a member of the RIPE community, you and all of the rest of us have a chance to shape the policy here. If we think that we need a RIPE policy or other RIPE community recommendation to the RIPE NCC regarding delegation to open resolvers, we have a policy process we can follow to make one.
I couldn't find out how to use the policy process to get RFC 7344 CDS automation in place :-(
Shortly before RIPE 75 people (including yourself) called for CDS/CDNSKEY support: https://labs.ripe.net/Members/anandb/the-future-of-dnssec-at-the-ripe-ncc At RIPE 77, Anand mentioned that the RIPE NCC was thinking about CDS/CDNSKEY, but wanted some discussion beforehand: https://ripe77.ripe.net/wp-content/uploads/presentations/137-RIPE77_DNS_Upda... You again asked for support of CDS/CDNSKEY during the meeting itself. The RIPE NCC recently announced at RIPE 78 that they now support RFC 8078 for reverse DNS: https://ripe78.ripe.net/presentations/138-138-RIPE78_DNS_Update.pdf This is only for updates (and I guess removals?) of DS records; the initial delegation has to be done manually. It seems like everything worked pretty well to me, although I suppose one could argue that the wait was too long. I'm not sure that we need any more policies than what we have. Of course, if the goal was ADDING of DS records, then I admit that the system is not there. I can see the benefit of being able to add DS records to the parent via CDS/CDNSKEY, especially for operators trying to secure (for example) reverse DNS for lots of /24's. Is this important to you (or anyone else)? Cheers, -- Shane
On 10 Jun 2019, at 18.04, Shane Kerr <shane@time-travellers.org> wrote:
Of course, if the goal was ADDING of DS records, then I admit that the system is not there. I can see the benefit of being able to add DS records to the parent via CDS/CDNSKEY, especially for operators trying to secure (for example) reverse DNS for lots of /24's.
Is this important to you (or anyone else)?
I’ll raise my hand here. We hold a legacy PI /24, which means the parent, in the DNS sense, is run by a 3rd party, not us nor RIPE. Of course that 3rd party does not support DNSSEC, at least last time I asked. Med venlig hilsen / Best regards Erwin Lansing Head of Security & Chief Technologist
Shane Kerr <shane@time-travellers.org> wrote:
The RIPE NCC recently announced at RIPE 78 that they now support RFC 8078 for reverse DNS:
https://ripe78.ripe.net/presentations/138-138-RIPE78_DNS_Update.pdf
Oh, this is cool! Is there any more information anywhere? I couldn't find any details in the RIPE database documentation. I'm afraid I assumed from the lack of follow-up to my messages on this list after RIPE77 that nothing was happening! https://www.ripe.net/ripe/mail/archives/dns-wg/2018-November/thread.html Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Plymouth, Biscay, Northeast Fitzroy: Northerly or northwesterly, becoming cyclonic in Biscay, 5 to 7, occasionally gale 8 at first. Moderate or rough, occasionally very rough at first. Rain or thundery showers. Good, occasionally poor.
On 11/06/2019 13:00, Tony Finch wrote: Hi Tony,
The RIPE NCC recently announced at RIPE 78 that they now support RFC 8078 for reverse DNS:
https://ripe78.ripe.net/presentations/138-138-RIPE78_DNS_Update.pdf
Oh, this is cool! Is there any more information anywhere? I couldn't find any details in the RIPE database documentation.
We haven't yet implemented support for RFC 8078, but we're working on it, as I mentioned during my presentation. We will provide more information here on the mailing list about our progress, and we hope to have it implemented by the end of this year. Please accept our apologies for not providing more information earlier. Regards, Anand Buddhdev RIPE NCC
Good morning Måns, We will come back to you shortly with answers to your and others' questions in this thread. Regards, Anand Buddhdev RIPE NCC On 10/06/2019 09:22, Måns Nilsson wrote:
Recently, a discussion regarding the checks performed by the NCC before reverse delegation is made came up on the members-discuss list. It was concluded that this should be discussed here rather than there.
The members archive might not be available to all, so I'll try to summarize. Please add your take on summary if you find mine lacking.
The questioned practice was that the NCC rejects the delegation request if the target server is found to be an open recursor.
Some participants argued that this is not a technical problem, and some said yes it is.
Some held that the NCC has no authority blocking a request, but it was argued that every delegation is subject to RFC 1591 responsibilites.
For starters, are the delegation requirements described somewhere?
Best regards,
Subject: Re: [dns-wg] NCC reverse delegation criteria Date: Tue, Jun 11, 2019 at 10:52:00AM +0200 Quoting Anand Buddhdev (anandb@ripe.net):
Good morning Måns,
We will come back to you shortly with answers to your and others' questions in this thread.
Excellent! -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 I hope I bought the right relish ... zzzzzzzzz ...
participants (9)
-
Anand Buddhdev -
Erwin Lansing -
Jim Reid -
Job Snijders -
Måns Nilsson -
Randy Bush -
Shane Kerr -
Tim Wicinski -
Tony Finch