.name TLD - resolution issues

* From: Suresh Ramasubramanian
* Date: Sun Oct 12 11:01:59 2003

Hi there

We operate webmail services for the .name TLD (MX and DNS resolution are handled by the nic.name people).

After the recent Verisign brouhaha, several of y'all patched their nameservers to stop believing Verisign (so did we). Just that quite a few of you also seem to have set up your resolvers to do the same thing with other wildcarded TLDs.

.name is a wildcarded TLD and does have legit domains on it. Right now we are seeing a lot of problems with .name domains being treated as unresolvable thanks to this, and mail from .name users is not getting through as mailservers are configured not to accept mail from unresolvable domains.

I know, .name domains don't have zones or NS records attached to them - but yes, this is a legit wildcard (kind of like .museum, but this one is for vanity domains). I'd request DNS admins here to not treat .name as delegation-only.

thanks
--srs

Thank you for your attention to this issue. As you rightly point out, it arose as a result of the patch to the BIND DNS server software. Rest assured that we are working hard with the relevant parties to have it fixed as soon as possible (see also http://marc.theaimsgroup.com/?l=bind-users&m=10657 9662509581&w=2 [theaimsgroup.com])

However, I just wanted to make a friendly correction to one error in your mail. .name is not a "wildcarded" TLD. There is no "wildcard" or "star-record" response from the .name nameservers.

Rather, the reason why the hastily launched BIND patch now breaks the .name email functionality is because .name returns non-delegation resource records for the second level, for example MX records for all shared second level names (as contemplated by the .name ICANN contract, http://www.icann.org/tlds/agreements/name/registry -agmt-appc-1-8aug03.htm#d [icann.org]). These valid and vital resource records are now being exchanged for a NXDOMAIN response, resulting in bounced emails to otherwise valid .name email addresses.

According to a report at the recent SECSAC meeting, 15,000 downloads of this patch have been made. We would urge all operators to NOT install this patch, or more specifically, not to use the root-delegation-only functionality until its problems have been resolved.

The Internet Community response to the .com "wildcard" was perhaps emotional, but to be clear, the patch to BIND does not break .name functionality because of any "wildcards" or "star records". Rather, it breaks because .name until now has been a third-level domain space where second levels are shared. Not all second levels exist under the .name TLD, but are created as necessary when third levels are registered.

However, this is changing now that .name will, in addition to its current third level registrations, open its second level for SLD delegations. From January 14th, there will be second levels on .name that are delegated to nameservers, just like on e.g. .com. For more information about this, see www.nic.name [nic.name].

We regret the consequence of the hastily launched patch to BIND, and are working hard to resolve the issue with the relevant parties. Thank you in the meantime for your patience, and for reporting any seemingly misconfigured ISPs and DNS operators to us as soon as possible. Our contact address for any such reports is delegation-only@gnr.com [mailto].

Best regards,

Hakon Haugnes
President
The Global Name Registry
www.nic.name [nic.name]