Re: VeriSign's rapid DNS updates in .com/.net

[Matt Larson <mlarson () verisign com>]

William,

On Wed, 14 Jul 2004, william(at)elan.net wrote:
> I reforward this email in hopes that it was by simple omission that nobody 
> from Verisign is yet to respond to it.

Replying to your original message has been on my to-do list.

> 1. Currently SLD deligation info for .com/.net TLDs seems to be updated about
> twice a day and new entire TLD dns zone is published as one bulk operation. 
> These changes seems to be synced pretty well to changes in whois database
> as seen at whois.crsnic.net, so listing of nameservers in whois seems 
> almost always correct. Is it my understanding that after this change SLD 
> dns delegation will not be synced to nameserver listing in whois?

You are correct that the .com/.net zone files and Whois data are
currently updated at around the same time, twice per day.  Those
processes will continue after the deployment of the rapid updates.  As
a result, the .com/.net zone files available through the zone file
access program will continue match the data currently available in
Whois.  But the .com/.net the authoritative servers will contain
changes not yet reflected in Whois.

> 2. Is it only changes in SLD delegation (listing of nameservers or ips of 
> nameservers) that will be effected?

Essentially, yes, but see below.

> Does that mean that changes to domain such as moving domain from one
> registrar to another, delition of domain will still be done once per
> day?

Yes.

> Related - what about status codes as submitted by registrar? In
> particular, would change of status that causes domain to temporarily
> or permanently not be delegated (but keeps listing of nameservers in
> whois) also be processed immediatly?

You're referring to Hold status, of which there are several kinds, all
of which keep a domain's NS records out of the .com/.net zones.  A
change in status will cause a domain's NS records to be inserted or
withdrawn from the .com/.net zones in near-real time.

> 3. Is it my understanding that with this change those who participate
> in bulk whois program will not be able to see entire history of dns
> delegation changes for the domain?

You said "bulk whois program", but I believe you're referring to the
"TLD Zone File Access Program"
(http://www.verisign.com/nds/naming/tld/).  VeriSign does not make the
bulk .com/.net Whois data available.

> In that case, you remove value of 
> participation in bulk TLD zone downloads for certain kinds of research 
> activity and in addition may actually be breaking service agreement for 
> providing this kind of data. To cover that "hole" you need provide a way
> to not only download entire TLD zone but also changes done to domain
> since last time entire TLD zone file has been published (to give an 
> example what I'm asking is ability to download "UPDATES" as in routevews 
> directory rather then entire bgp dump from "RIBS" directory).  
>
> Please note that being able to find entire history of domain delegation 
> changes is important in quite a number of cases, for example when you 
> need to show that either your dns registrar or isp screwed up (and then
> corrected itself but does not want to admit it because that may cause them 
> to pay compensation per SLA) or to show improper unathorized use of the 
> domain, when its suspect that domain may have been hijacked (but dns has
> been changed for half an hour and then returned back) or when you're tracking
> domains used by spammers that change info from one zombie computer to another
> every 10-30 minutes (you want to be able to create entire list of zombies
> associated with such a domain and report these to ISPs, not just one or 
> two taken once or twice per day, because otherwise spammers would just 
> register different domain when that reported one is  deactivated but they
> will still keep use of the same zombies)

Right now we don't have plans to make the deltas available, but I will
make sure the right people see the suggestion and your supporting
reasons for wanting them.

> 4. Last comment is I believe that such public announcement of changes
> should to go other mail lists and not just nanog which covers primarily
> those concerned with network routing in US and Canada, but not necessarily
> with dns operations at your ISP. I'm subscribed to at least three dns 
> specific mail lists and have not seen anything there. The onece I remember
> by name are isp-dns.com, the other is bind-users, third one is I think 
> dns list at RIPE. 
>
> I'm not suggesting you make announcement on exactly those lists (or only 
> on those lists + nanog), but if Verisign is trying to have better 
> involvement with community and making viable prior notices worldwide of 
> changes it is making to dns system, some investigation on where is it best 
> to make such notices that it would reach largest number of persons 
> concerned with dns technical support worldwide should be done. 

With over 7000 subscribers (if I'm remembering the numbers from
Susan's latest statistics slide correctly), NANOG covers more than
just routing in North America: a posting here reaches Internet
operators worldwide.  Indeed, my original posting has already appeared
in other places.  But your point is well taken.

Matt
--
Matt Larson <mlarson () verisign com>
VeriSign Naming and Directory Services