North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: lame delegations

  • From: Derek J. Balling
  • Date: Fri Aug 18 15:15:05 2000


that's great at creation time, but what about when Customer-A leaves ISP-A to go to ISP-B, but doesn't bring his host records along with him?

ISP-A needs the ability to say "Attention $REGISTRAR, $HOSTNAME is no longer valid, as evidenced by the current lack of a PTR record. Please remove it".

The lack of a PTR record covers the case where PTR and host-record may not match so someone impersonates ISP-A asking the host name be destroyed. The PTR record has to completely not exist.

Of course, this is a great idea, but can we actually get it implemented by the relevant agencies? ;-)

D


At 2:56 PM -0400 8/18/00, Phillip Vandry wrote:
Why not this?

Registrars only accept to create a glue record if there already exists
a PTR entry for the requested address that points to the right name.

-Phil

 I suspect that solving this correctly would depend on the ICANN DNSO
 recognising the authentication mechanisms of the databases of the RIR's
 under the ICANN ASO (RIPE, ARIN, APNIC).

 Unfortunately, no-one thought of this problem when they let registrars
 inject host records. The only way to verify automatically that a host
 record is allowed from a given netblock is to use the same authentication
 > mechanisms that (say) RIPE do for reverse delegations.