Hi Paul, On 3 Nov 2020, at 09:59, Paul Wouters <[email protected]> wrote:
> You never replied to this. I would really appreciate an answer so that > the Working Group knows whether or not your objection is still relevant, > based on the below developments of the Registry that is running the > TLD for which you were speaking. Sorry about that, wasn't intentional. See below. > On Tue, 11 Aug 2020, Paul Wouters wrote: > >> So this statement aged badly with today's announcement from Afilias: >> >> http://www.circleid.com/posts/20200811-afilias-to-protect-tlds-against-potential-orphan-glue-exploits/ >> >> Afilias has informed registrars and registry clients that it is >> taking steps to remove orphan glue records from 200+ TLD zones >> in its care. This will eliminate the potential for a handful of >> domain names to be misused. >> >> Afilias identified a handful of domain names among the 20 million names I am familiar with the contents of that blog post and the circumstances surrounding it. My position on the usefulness of this draft has not changed. See below for more detail. PIR and Afilias identified a software defect that in certain cases allowed glue records to remain in the zone even though they had been removed from the registry. Since the ORG zone is relatively large and since the defect had existed for a long time, the number of lingering orphan glue records was significant, even though the circumstances by which they showed up were relatively rare. The software defect was eliminated and the glue records associated with the defect were removed. However, even a cursory look at the ORG zone today, long after these records were removed, reveals that there are many orphan glue records (in the DNS sense, not in the registry sense) that remain. An example of the circumstances that lead to these remaining glue records being present in the zone is the case where a domain is suspended for abuse according to our published procedures; in those circumstances the delegation is removed from the zone but any subordinate glue records that might exist will remain. On 2020-09-22 there were 7207 such orphan glue records in the ORG zone. On 2020-11-03 (today, zone serial 2014131123) there are 8155 such orphan glue records in the ORG zone. >> Well, 200+ TLD's are now removing this problematic orphan glue due to >> security reasons unrelated to this draft. I have not done a survey of other TLD zones, but perhaps if I have a few spare minutes I'll take CZDS for a spin and see what I can see there. >> So my question to Joe is, did you have any other concerns with allowing >> this draft to move forward? ORG is not a delegation-only zone today, and we do not expect it ever to be a delegation-only zone. Correspondingly, this is not a mechanism we would use in ORG. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
