Dear colleagues, As requested, here is some information about the reverse DNS delegation process applied by the RIPE NCC.
We perform pre-delegation checks with a local instance of Zonemaster, which is DNS delegation testing software that was developed by AFNIC and IIS. The software performs the following tests: https://github.com/zonemaster/zonemaster/tree/master/docs/specifications/tests Test results are classified into one of five levels of severity: INFO, NOTICE, WARNING, ERROR, or CRITICAL. This classification is governed by a policy, and ours follows the default Zonemaster profile here: https://github.com/zonemaster/zonemaster-engine/blob/master/share/profile.json According to this policy, a name server offering recursion is classified as ERROR. When we perform pre-delegation tests, the request is rejected if any of the test results are classified at the ERROR or CRITICAL levels. We have the results of pre-delegation tests going back to 30 June 2017. Between then and now, we rejected 5,125 delegation requests for 1,833 zones because at least one of the name servers of a zone was an open recursor. It's worth noting that these requests may have been rejected for other reasons in addition to this one, and there were multiple requests for some zones, which accounts for the imbalance between the two numbers. Finally, before Zonemaster we used software called DNScheck, which was developed by IIS. This also checked for open recursive name servers and classified this condition as an error. Regards, Anand Buddhdev RIPE NCC
