Hi all,
we just found out that RIPE seems to have silently integrated new
checks for reverse delegation of zones.
Its no longer possible to add or even change a zone if the nameservers
used by them are open recursors. The update will fail.
Yes - open recursors are (sometimes) bad. But there are legitimate
reasons to run them (freedom of speech, filtered resources etc). Once
properly configured (i.e. querys rate limited) they wont pose a threat.
I wasnt able to find any information on when this was implemented or if
this was even voted for (please someone supply me with links if
possible).
I dont know of any NIC/registrar that will deny the creation/update of
a domain name if the nameservers are recursors. I know that some will
warn but none will refuse it. Please fix me if there are some which
will indeed deny.
Of course i have created a ticket about this but it all went like "fix
the dns or we wont delegate".
So basically this is about 2 things: silently changing checks (if it
was indeed silent) and if those checks are really usefull or should
rather be dropped/changed to warnings.
Regards,
Jonas
