Recently our local SLD (co.za) registrar, UniForum implemented a series
of what seem to me to be very strange checks.
I'm very familiar with pretty much all registrars insistence that there
be at least two name servers, both of which respond authoritatively to
queries for the domain being registered. However it is very troubling
news to me that for the co.za SLD there is no an insistence that when
gluing a delegation, the PTR for the IP provided must match the NS A
record provided.
What problems does this create? Few if you have been delegated authority
of the in-addr.arpa records for whatever IP addresses you are using.
For me personally it creates quite a few problems though, since we are
leased IP space from our upstream provider.
In-bailiwick delegations:
This is now almost impossible, to register FOO.CO.ZA with the
name-server NS1.FOO.CO.ZA. Why?
Firstly due to IPv4 contention and the wishes for most providers that IP
space is not wasted on vanity PTR records and other nonsense, they
mostly require that the corresponding A record exist before they will
make changes to the PTR.
Secondly, if you are providing DNS to other people, you must now either
use out-of-bailiwick NS, have two IP addresses for every domain, or -
even worse - assign multiple PTR records to your IP space, something
most providers I'm certain would be unhappy with.
We could easily register domains providing our current reverse IP
records as the NS, but this to me is an uncomfortable position to be
forced into. I think anyone with a hint of knowledge about DNS is able
to see that this creates more lookups (since our servers are in the .NET
space), a situation which should be avoided. In-bailiwick and glued
delegations are to my understanding the best possible, and most optimal
way to delegate a domain.
Why am I moaning about this here? It has already been discussed at great
length on the local "Internet-Organisation" mailing lists, and from all
I can see the ZA Domain Name Authority are backing these checks that PTR
and NS records are in sync, despite the fact that it has only been
proven to be of no purpose. UniForum have claimed that this is to avoid
the problem where by someone is able to poison another domain by
providing invalid glue (their statement lies here
http://co.za/news/reg_vul.shtml) - when, to my and others logic, the
onus is on them to discard glue for NS records that are outside of the
zone being registered.
Evidently, the views of the -customer- of UniForum and the ZADNA are not
being held in very high regard, so I ask for a second opinion on the
following statement, since clearly I lack the "years of experience" and
old-man status that are required to receive a clear and logical
explanation for these policies.
"The PTR cross-check is not a vital operational issue, but it is a good
one IMHO and worthy of retaining/insisting upon. I'll accept that others
might not agree on this point" - Mike Lawrie.
Currently the ZA DNA are still in the process of arranging a "dispute
resolution process" - so for now I can only bicker.
Any comment appreciated.
Regards,
--
Colin Alston <colin@xxxxxxxxxxxxxxx>
Network Operations
Slipgate Group
http://www.slipgate.za.net/
Desk no. +27 031 2615410
Cell no. +27 072 4665153
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf