Verisign Responds
Paul Vixie
vixie at vix.com
Tue Sep 23 06:07:31 UTC 2003
> ISC has made root-delegation-only the default behaviour in the new bind,
actually, though, we havn't, and wouldn't (ever). the feature is present
but must be explicitly enabled by a knowledgeable operator to have effect.
> how about drafting up an RFC making it an absolute default requirement
> for all DNS?
this is what the icann secsac recommendation...
http://www.icann.org/correspondence/secsac-to-board-22sep03.htm
...says that ietf/iab should look into:
We call on the IAB, the IETF, and the operational community to
examine the specifications for the domain name system and consider
whether additional specifications could improve the stability of
the overall system. Most urgently, we ask for definitive
recommendations regarding the use and operation of wildcard DNS
names in TLDs and the root domain, so that actions and expectations
can become universal. With respect to the broader architectural
issues, we call on the technical community to clarify the role of
error responses and on the separation of architectural layers,
particularly and their interaction with security and stability.
and it does seem rather urgent that if a wildcard in the root domain or in
a top level domain is dangerous and bad, that the ietf say so out loud so
that icann has a respected external reference to include in their contracts.
--
Paul Vixie
More information about the NANOG
mailing list