Root Server Operators (Re: What *are* they smoking?)

• Previous message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Next message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aaron Dewell wrote:

> The point is, this makes a reasonable backup plan.  Far from ideal, but
> we're dealing with a state-supported monopoly who can do whatever they
> want.  Get this in place, then think about how to throw the monopolies
> out.  This works in the meantime.  They will likely compromise this far,
> even if they won't back down.
> 

I'm thinking security for the long term. Even if com and net are 
returned to their non-wildcard states, there are other tld's which will 
continue using wildcards. Subject to a wildcard bit being implemented to 
DNS, my suggested method allows for optimum performance and 
functionality when DNS is being used as part of a security model.

> The TTL is 15 minutes, so your hypothetical server would be throwing away
> it's cache every 15 minutes.  Then re-querying everything.  You'd have to
> have a _lot_ of outgoing email to justify that.

I don't know about you, but I don't want to cache bogus information for 
longer than 15 minutes. If someone sends random-string domains as the 
envelope from to my mail server, I want the cache to purge itself 
quickly. Yet, if they are sending the same bad address to my mail server 
repetitively, I want my cache to hold the record briefly; say 15 
minutes. I'd hate to see a spammer issuing jlkfsjklfsj.com 5,000 times 
to my mail server in rapid succession and my recursor have to ask for it 
every time. On the other side, I would hate to cache 100,000 bogus 
domains for 1 day, wasting cache.

> This solution still requires increased overhead, and more modifications
> to BIND.  Which has more impact on your server, this BIND overhead, or one
> additional query from your MTA?  My guess is the query is cheaper overall.
> And you have to convince ISC to implement these changes, or write them
> yourself, then you have the potential cost of an unstable nameserver.
> Overall, I'd take the one addition query based on the compromise solution.

My mail server doesn't use a bind recursor, so I'll end up making the 
change myself for that particular system. However, a solution needs to 
be devised for the long term. The best solution is a wildcard bit. 
Second to that, smart recursors and resolvers that can detect the wildcard.

-Jack

• Previous message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Next message (by thread): Root Server Operators (Re: What *are* they smoking?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]