On May 22, 2013, at 3:10 PM, John C Klensin <john-ietf@xxxxxxx> wrote: > > > --On Tuesday, May 21, 2013 11:07 +0200 Stephane Bortzmeyer > <bortzmeyer@xxxxxx> wrote: > >> ... >> Although these tests certainly contributed to the good >> technical quality of the name servers, they were removed both >> for commercial reasons (a registry has to make money to pay >> its employees) and because it was easier to have the same >> rules for ccTLDs and gTLDs (and ICANN forbids these technical >> tests in gTLDs). > > Occasional fantasies about IETF enforcement power and the > Protocol Police notwithstanding, it seems to me that, if one > wanted to require standards-conforming nameservers, the most > (and maybe only) effective way to do that would be requirements > in the contractual agreements between TLD registries and their > registrants. Recursively applying requirements down the tree is > not a new idea; RFC 1591 uses that language more than once. We should be careful about requiring things like this (for whatever value of "we"). Recursively applying requirements means that "we" are requiring service providers (in this case registries) to pick fights with their customers. So instead of having an IETF protocol police, "we" expect service providers to act as local sheriffs. It's not that service providers would never do this. There is some success in getting ISPs to shut down spammers, but they are likely to cooperate when the actions of the offenders are likely to damage either the service provider's infrastructure, or harm other customers. This is not the case here. A DNS server that ignores unknown record types does not hurt anyone who only queries for A and AAAA records. And MX. It hurts people who try to deploy new record types, so for now, it hurts experiments. It reduces the likelihood of a major browser deploying a version with DANE enabled by default. This is definitely harm, but beating one bad server into compliance does not fix the problem. So "we" would be asking service providers to take a step with positive costs (periodically testing servers, contacting customers, threatening them, and following up), all to prevent a kind of harm that would only be prevented if all other registrars in the world (or at least a vast majority) would do the same. And if that harm was mitigated, and all the DNS servers in the world were fixed, hardly anyone would notice. Seems like a tough sell to me. Yoav