Root Server Operators (Re: What *are* they smoking?)

• Previous message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Next message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Vixie wrote:
> no.  not just because that's not how our internal hashing works, but
> because "hosted" tld's like .museum have had wildcards from day 1 and
> the registrants there are perfectly comfortable with them.  there's
> no one-policy-fits-all when it comes to tld's, so we would not want
> to offer a knob that tried to follow a single policy for all tld's.

I agree Paul. This is a policy issue and not a technical issue. TLDs 
that are sponsored or setup with a specific design sometimes do and 
should be allowed to use the wildcard for the tld. The issue has become 
that net and com are public trusts and changes were made to them without 
authorization by the public and damage was caused as a result.

Just as root server operators are subject to operating as IANA dictates, 
so should Verisign be subject to operating as IAB and ICANN dictate. The 
Internet as a whole depends on the predictability of TLDs. It is 
impossible to maintain a security policy based on unpredictable information.

I would recommend that the TLDs which do utilize wildcards setup or 
restrict such use in a predictable manner. While historically it has not 
been an issue, such as nonexistant .museum domains being forged in email 
envelopes, such practices could be exploited at a later time. The 
ability to recognize that a domain is not registered and should not be 
used is paramount in basic forgery detection.

One method that might be considered for recursive servers as well as 
resolvers, is the ability to specify if a wildcard entry will be 
accepted or not, perhaps at any level or just at the 2nd level. Cached 
records which are wildcards could be marked as such so that subsequent 
queries could specify desire of accepting or not accepting the wildcard 
entry. A web browser, for example, which supports its own redirections 
for NXDOMAIN, might wish to ignore the wildcard records, as would smtp 
servers.

While I believe that net and com should never have wildcards, the 
ability to detect, cache, and override wildcards for tld's such as 
.museum when the application requires it is paramount. I realize that 
the client software can perform the queries and detection itself, but in 
many cases, there wouldn't be an effecient way to cache the information 
without the resolver and recursive cache being aware of the process and 
performing such detection would require two queries versus one.


-Jack

• Previous message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Next message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]