[please do not explicitly send copies of followups to me] Jim Reid wrote/schrieb/scripsit:
"Stefan" == Stefan Paletta <stefanp@cabal1.com> writes:
Stefan> All, good to see nsd make progress (played with it a litte Stefan> while ago, but tinydns continues to serve me best).
Oh dear. It seems that the behaviour of tinydns is preventing you from registering domains in some TLDs. That wouldn't appear to be "serving you best", at least not to me anyway.
Bait not taken; rest assured, my choice of nameserver software has never hindered any registration (at least not yet) and I will never hesitate a second to cheat around useless requirements if necessary. I believe that diversity of software is actually a strong requirement for the stability of the Internet (but then I'm not geeting paid by a company that makes and sells nameserver software---SCNR!) and I welcome the effort RIPE has made to contribute to that. A simple, reliable and fast nameserver that groks BIND zonefiles is a good thing to have. What concerns me, though, is a possible limitation of use- fulness of NSD and I would expect RIPE to actually care about that, too (I am aware that this list is not authoritative wrt. this). Anyway, just let me know if that is not the case and I will shut up. (Though I might then -- at another place -- raise the question why RIPE is purposely wasting my money making nameserver software that is not usable for domains in some TLDs.)
Stefan> Some TLD registries, however, make unreasonable demands Stefan> regarding the behaviour of servers to which they delegate Stefan> zones. Most notably the .fr and .it registries, which Stefan> apparently demand that servers return a Stefan> (non-authoritative!, in the case of .it) referral to the Stefan> root servers when they are lame. These demands are highly Stefan> questionable -to say the least- and are hard and sometimes Stefan> impossible to follow for users of at least tinydns and Stefan> nsd.
While I am not speaking on behalf of these registries -- they can do that themselves -- I believe they're acting out of enlightened self-interest. "Don't come to us until your name servers are working" is not an unreasonable stance IMO.
It is entirely reasonable. Altough I firmly believe Darwinism is much better in selecting those who know DNS and those who don't, actively giving people clues about how to do it right is probably more within the spirit of the Internet. The problem here is just that the definition of 'working' is too often less than helpful. As I have already explained briefly -- and I think we will see more thoroughly later -- some checks are nonsensical in a technical way, actively hindering e.g. deployment of standards conformant software, and most of them fail to provide a continued use because they are nonrevisable, unenforcable and singular, i.e. people can screw up in wonderful ways once a zone has been delegated anyway.
Secondly, you should be aware that it's not for RIPE or the DNS WG to dictate policy to a ccTLD registry -- that's a national matter -- or tell anyone how to run their name servers. How an organisation chooses to operate its infrastructure is up to them. The WG can produce recommendations or a best common practice (eg RIPE-192) but that's it. People are free to accept or reject or ignore that advice as they see fit.
I was not asking for anyone to dictate policy at all. It is just that registries have a habit of not listening to their customers (esp. not those who apparently cannot get their nameserver to work 'correctly'). That is where a RIPE document at least gives people something in their hands to take to a registry and (hopefully) make them listen.
If you wish to prepare such a recommendation, go ahead. The matter can be discussed on this list and I'll be happy to arrange discussion time for the subject at future sessions of the WG. As WG chair, I would welcome a wider analysis of the registration policies of the TLD registries in the RIPE region (and beyond?) and try to see if some common guidelines can be established. This could be a worthwhile subject for a WG recommendation. The topic has exercised you, so I think you'd be an ideal candidate to get that work under way. :-)
Well first of all I am not familiar with the guidelines of such an undertaking (you probably guessed that ;-) ), but nonetheless, I am willing to collect, analyze and then evaluate such policies, given the necessary input from the community. As for a recommendation on reg. policies I have to say that probably my ideas about that, while being -- as far as I know -- well thought out, might simply be too radical to be suitable for inclusion in a document approved by this WG. For example quite a few registries have the requirement for at least two independent nameservers and that those have addresses not within the same /24. This can be replaced by one completely different re- quirement that, in contrast, is revisable, enforcable and actually useful. By all means, if someone wants to hear I will be happy to write this up and have it discussed and, for that matter, proven wrong.
And if I can be provocative, why don't you ask the author of djbdns to make the software do the Right Thing and at least *respond* whenever it gets a query for something it's not authoritative for?
Bait not taken again; there is, however, some truth in your statement. I agree that djbdns servers must respond in any case, and I found it not too hard to configure my servers to do the Right Thing and fall back to SERVFAIL. The method of adding a referral to the roots is also documented. Again, others may operate their servers the way they choose. -Stefan -- junior guru SP666-RIPE SMP@{IRC,SILC}