Måns,
Speaking mostly as myself, except where indicated below....
On 10/06/2019 09.22, Måns Nilsson wrote:
Recently, a discussion regarding the checks performed by the NCC before
reverse delegation is made came up on the members-discuss list. It was
concluded that this should be discussed here rather than there.
The members archive might not be available to all, so I'll try to
summarize. Please add your take on summary if you find mine lacking.
The questioned practice was that the NCC rejects the delegation request
if the target server is found to be an open recursor.
Some participants argued that this is not a technical problem, and some
said yes it is.
In almost all cases, running an open resolver indicates a bad configuration.
I'm actually having a hard time imagining a case where someone actually
wants to run authoritative reverse DNS on the same server as a public
DNS resolver. (I can imagine wanting to run an authoritative reverse DNS
server on the same server as a _private_ DNS resolver, for split horizon
reasons. I think that is a bad idea, but at least it makes some sense
for some setups.)
Some held that the NCC has no authority blocking a request, but it was
argued that every delegation is subject to RFC 1591 responsibilites.
The RIPE NCC runs the parent zone for reverse DNS in its service region,
so as I understand it has complete authority to decide what is a valid
delegation or not. I am not aware of any laws requiring that Dutch
membership-based organizations add specific delegations to particular
zones, and I do not know what else would limit the authority of the RIPE
NCC to manage the parent zone however it wants.
<DNS working group co-chair hat on>
The good news is that as a member of the RIPE community, you and all of
the rest of us have a chance to shape the policy here. If we think that
we need a RIPE policy or other RIPE community recommendation to the RIPE
NCC regarding delegation to open resolvers, we have a policy process we
can follow to make one.
<DNS working group co-chair hat off/>
Personally I think that it is unlikely that the RIPE DNS working group
would recommend that the RIPE NCC delegate to open resolvers, but I am
often wrong.
For starters, are the delegation requirements described somewhere?
This particular test case is described here:
https://github.com/zonemaster/zonemaster/blob/master/docs/specifications/tests/Nameserver-TP/nameserver01.md
I don't know how much modification the RIPE NCC has made from the
standard Zonemaster configuration, but at least in the default setup
this particular check is made.
Cheers,
--
Shane
