Minor errors: 2.1: "otherwise identical responses" -> "otherwise identical queries"
8.1: something's dodgy with the XML, the html version that xml2rfc produces puts the examples before the corresponding text rather than after. Section 2: I'd use a word other than "class" since it's not used in its DNS technical sense. Section 3: While I agree that it would be a good idea for TLD operators to audit the name servers to which their 2LDs are delegated, contacting people who can fix it is a mess. While there are only three TLDs where the registrar keeps the WHOIS info, two of them are the large .NET and the giant .COM so in practice registrars have to do a lot of the work. Some domains have DNS service from the registrar, some from a hosting or other provider who may or may not be one of the registration contacts, some other places. So you do what you can. but sometimes they'll still not get it. As to the advice to TLD operators to un-delegate broken servers, good luck with that. For ICANN contracted TLDs it'd require a change to the RAA which is unlikely to happen, and for everyone else, the registrant is likely to say "it works fine for me", which it probably does for simple A and MX queries. I'm not sure what to say instead, but it seems unwise to instruct people to do something you know they won't do. Section 5: in the last sentence, I don't understand whether it means that none of them are attack vectors, or that some are and some aren't. Section 8.1: this list of tests is great. I stared at it and I think it's all correct, other than the XML formatting problem, but due to the length and all the fiddly details the more people who look at it and ideally who implement it, the better. Section 9: turning off servers that partly work is likely to have security implications, like zones disappearing from the Internet. There are lots of minor typographic and grammar problems that I haven't mentioned. A thorough copy edit by someone other than the author would be useful. (This isn't saying anything bad about the author, just that we can't catch our own mistakes. BTDT, got copies of Internet for Dummies with egregious typos that went through three editions.) One final thought: if the registry or someone is going to test all those nameservers anyway, should it also check other errors like lame delegation and broken or inconsistent DNSSEC keys at the same time? R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
