<<<
Chronological Index
>>> <<<
Thread Index
>>>
ccNSO comments on Technical Checks Used for DNS Root Zone Changes
- To: <techcheck-comments@xxxxxxxxx>
- Subject: ccNSO comments on Technical Checks Used for DNS Root Zone Changes
- From: "Chris Disspain" <ceo@xxxxxxxxxxx>
- Date: Mon, 25 Sep 2006 10:52:06 +1000
ccNSO comment to IANA consultation
----------------------------------
This document is a ccNSO comment to the IANA/ICANN paper sent the 18th of
August: "Comments Sought on Technical Checks Used for DNS
Root Zone Changes", see:
http://www.icann.org/announcements/announcement-18aug06.htm
This document was prepared by the ccNSO IANA Working Group and has been open
for comment by members of the ccNSO.
The Country Code Names Supporting Organization (ccNSO) is the policy
development body for a narrow range of global ccTLD issues
within the ICANN structure, see: http://ccnso.icann.org/
The ccNSO IANA Working Group is the working group set up by the to improve the
service and communication that IANA provides to
ccTLDs,
see: http://ianawg.ccnso.org <http://ianawg.ccnso.org/> .
The IANA WG mandate is available here:
http://ianawg.ccnso.org/pub/IANAWG/WebHome/cc-0001.pdf
ccTLD concerns considered by the IANA WG are listed here:
http://ianawg.ccnso.org/pub/IANAWG/WebHome/cc-0000.txt
Summary:
- This open consultation is a good approach and the proposed IANA paper
is a good starting point;
- A simple, light and reliable process must be implemented, remembering
that the IANA service is more critical than
operationally heavy;
- We welcome and encourage IANA to pursue its objective to implement a
more automated process for root zone management but
strongly recommend that there is a full evaluation of the potential impact this
could have on security;
- We recommend work on a single list of technical requirements without
specific references to who is checking what;
- We stress that local registries might need to implement specific NS
configurations to respond to local needs or
constraints;
- IANA technical systems must not prevent ccTLD operators from managing
the registry in accordance with their local needs,
constraints or strategies as long as they are technically valid.
Background:
----------
Technical Checks performed before DNS Root Zone Changes was identified by the
IANA WG as one of the main concerns for ccTLDs, see:
http://ianawg.ccnso.org/pub/IANAWG/WebHome/cc-0000.txt
In November 2005, IANA provided the IANA WG with a factual description of the
current technical checks performed for DNS Root Zone
Changes.
This document is available here:
http://ianawg.ccnso.org/pub/IANAWG/WebHome/cc-0003.pdf
Doc summary (ianawg ref):
cc-0003 :IANA Technical Checks:nov 2005:iana documentation:000003
:IANA Technical checks:may 2006: acknowledged
:[description of current IANA procedures to checking NS upon ccTLD
request]
In June 2006, IANA posted to the group a "discussion paper on suitable
technical checks for root zone entries", see:
http://ianawg.ccnso.org/pub/IANAWG/WebHome/cc-0012.pdf
Doc summary (ianawg ref):
cc-0012 :discussion paper on suitable technical checks for root zone entries
:jun 2006:iana documentation:000038
:IANA technical checks-ccTLD test and procedures:jul 2006
:under
consideration:[http://www.icann.org/announcements/announcement-18aug06.htm]
ccNSO position:
----------------
Having considered the issues, the ccNSO view can be summarised as follows:
1.there is a consensus that IANA must not perform checks that are not really
necessary: the number of checks should be minimised,
focusing on efficiency, security and appropriate NS management ;
2.although discussions are still in progress on specific matters, a
set of requirements for TLD zones and their authoritative name
servers to be announced by the root have been identified (see below);
3.there are other specific technical configurations or features seen as
requirements by some ccTLDs while others think they should
not be seen as such. If checks were performed on those, they could be reported
should they fail, but shouldn't block a request for
root zone modification.
List of technical requirements for ccTLD operators:
---------------------------------------------------
The following set of specific requirements have consensus:
- Registry servers MUST be authoritative (bit 'aa');
- Registry servers MUST respond to TCP 53 connections;
- The list of NS announced (or to be announced) by the root MUST be
consistent with the list of NS announced by the authoritative
registry servers themselves;
- A response from the root to a query for a ccTLD MUST fit into
512 bytes;
- The IP addresses announced by the root (or to be announced) for each
NS MUST be consistent with IP address announced by the authoritative
NS themselves (*);
(*) On this last requirement, it was highlighted that the glue issue
needed further consideration. In principle, root servers should
not announce IP addresses unless necessary for resolutions ;
Other requirements perceived as necessary by some and not by others include:
- minimum number of name servers, minimum number of networks (some
think that two name servers is for example a good minimum safeguard
which is not really constraining for registry operators, other argue
that anycast changes the rule as with anycast one IP address can
have any number of servers behind it);
- minimum number of servers responding to DNS queries (some suggest
that all authoritative NS servers for a TLD should respond to TCP NS
queries, other think that if the minimum number of required NS is
reached, this is enough);
- Registry NS must not be recursive in principle, but it seems that
this shouldn't be a IANA requirement;
Moving forward:
---------------
The 18th of August, ICANN launched a public consultation called "Comments
Sought on Technical Checks Used for DNS Root Zone
Changes":
http://www.icann.org/announcements/announcement-18aug06.htm
Here are our comments on this paper:
General comment:
----------------
We welcome IANAs work on this important issue that directly impact the services
ccTLDs get from IANA: this initiative is a good
approach, the proposed paper is a good starting point.
We also welcome and encourage IANA to pursue its objective to implement a more
automated process for root zone management.
However we strongly recommend that there is a full evaluation of the potential
impact this could have on security, as well as on the
day to day communication with ccTLDs and on the service management. We suggest,
in principle, a simple, light and reliable process,
remembering that the IANA service is more critical than operationally heavy.
ccTLDs would prefer to see at this stage one single document listing technical
requirements for TLD present in the root without
specific reference to who is performing what. We highlight that, in the end,
IANA is the only operational party available to ccTLD
for root zone changes.
Finally, we highlight that local registries might need to implement specific NS
configurations to respond to local needs or
constraints.
These ways of offering the DNS service locally might not be usual, but
perfectly valid and relevant, without generating any risk for
the rest of the community; we do not want to see an IANA technical system that
would lead to a situation where those ccTLD operator
are not in a position to manage the registry in accordance with their local
needs, constraints or strategies.
Specific comments on IANA propositions:
> 1. There must be at least two name servers supplied, and they must
> not share the same IP address.
Some ccs agree believing that is a good safeguard, while others suggest this be
considered in the light of anycast (see previous
section 2: "List of technical requirements for ccTLD operators")
> 2. There must be no more than 13 name servers supplied.
Yes, but NS list including their IP(s) fitting in 512 bytes is also important.
> 3. The supplied hostnames for the authoritative name servers must
> be fully qualified domain names, with labels no longer than 63
> octets.
Yes, although work must be done to clarify in a single document what a "fully
qualified domain name" is from a root zone view.
> 4. The supplied authoritative name servers should be verifiably
> reachable over the public Internet....
Yes. Some ccTLDs believe however that as long as the minimum number of required
DNS server are responding (2 according to IANA), it
should be enough as a formal requirement.
> 5. In response to a query for the SOA record for the top-level
> domain, each of the supplied authoritative name servers must
> respond with a DNS answer with the "AA" bit set. (see RFC 1035,
> Section 4.1.1)
Agreed
> 6. IANA checks that the requested name servers match the "NS"
> Resource Record set in the children. IANA queries the NS RR-set
> returned by the authoritative name servers, and compare them to
> the supplied NS records for the root zone. These should match.
Agreed
> 7. IANA checks the A and AAAA records of the authoritative name
> servers, and compares them to the supplied glue records for
> inclusion in the root zone. These should match.
Agreed, but glue policy for root zone should be clarified (glue inclusion in
the root zone might not be always required).
> 8. IANA checks if other top-level domains use the supplied glue if
> the request represents an alteration to the name server's IP
> address. If the name server hostname is shared, it is not a
> technical failure per se, but IANA advises the applicant that
> it requires consensus from all affected parties, and starts a
> dialogue to check whether or not to proceed. (Note: this
> particular practice is the subject of a separate forthcoming
> IANA discussion paper)
Agreed, but glue policy for root zone should be clarified
> 9. IANA checks the serial numbers in the SOA records supplied by
> the authoritative name servers. These should match.
Synchronization between authoritative NS for ccTLD zone may be performed in
many different ways. This doesn't seem to prevent any
operator to publish consistent serials, however quite a few ccs have indicated
that they do not believe this should be seen as a
requirement.
> 10. IANA asks that the name servers be on geographically and network
> topologically separated networks. IANA currently loosely tests
> this by querying with the applicant on their network setup should
> all name servers be in the same "/24" IPv4 range.
Some ccs agree, while others ask to consider this in the light of anycast (see
previous section 2: "List of technical requirements
for ccTLD operators")
> 11. Should the request involve completely changing every NS record
> in the root, IANA asks the requestor to consider staggering the
> request in two passes such that any unexpected faults might be
> mitigated.
Yes, although it is more the responsibility of the operator to propose the
appropriate process, highlighting that one pass can be
enough if an appropriate process has been set up by the operator, although in
other circumstances two passes might not solve certain
problems. We acknowledge this is a difficult issue, we are not convinced that
this can be solved by an automatic technical check.
> 12. Whether the name servers have matching PTR records (both IPv4
> and IPv6)
Server names having matching PTR record is a good practise in many
circumstances, but not not always: this should not be a
requirement.
> 13. Whether the name servers have RFC 1918 addresses. (Note:
> supplying such an address would ordinarily fail IANA's tests
> due to unreachability.)
see comment below,
> 14. Whether the IP addresses are on the list of reserved IP
> addresses.
You certainly refer to this:
http://www.iana.org/assignments/ipv4-address-space and
http://www.iana.org/assignments/ipv6-address-space
see comment below,
> 15. Whether the last octet of the name server IP address is 0 or
> 255.
Comment for 13,14,15:
many things could be seen as requirements, for example the following provided
address: 194.6r:A.bad:AD:500A would pass those tests.
As a general principle, we believe that requirements expressed here should stay
focused on issues that are really necessary,
repeating a previous recommendation to keep a simple, light and reliable
process for DNS Root Zone Changes.
> 16. Whether the overall length of the name server hostname is less
> than 128 characters.
Although the theoretical hostname limit is 255 (rfc1123), 128 doesn't seem to
be an unreasonable practical limit. However, we think
that this is should not to be seen as a requirement for root zone change.
Regards,
Chris Disspain
Chair - ccNSO Council
Important Notice - This email may contain information which is confidential
and/or subject to legal privilege, and is intended for
the use of the named addressee only. If you are not the intended recipient, you
must not use, disclose or copy any part of this
email. If you have received this email by mistake, please notify the sender and
delete this message immediately. Please consider the
environment before printing this email.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|