Verisign Responds

Tue Sep 23 19:48:38 UTC 2003

Dan Hollis wrote:

> On Tue, 23 Sep 2003 bmanning at karoshi.com wrote:
> 
>>>On Mon, 22 Sep 2003, Dave Stewart wrote:
>>>
>>>>Courts are likely to support the position that Verisign has control of .net 
>>>>and .com and can do pretty much anything they want with it.
>>>
>>>ISC has made root-delegation-only the default behaviour in the new bind, 
>>>how about drafting up an RFC making it an absolute default requirement for 
>>>all DNS?
>>
>>	That would be making a fundamental change to the DNS
>>	to make wildcards illegal anywhere. Is that what you
>>	want?
> 
> 
> no it wouldnt. it would ust make wildcards illegal in top level domains, 
> not subdomains.
> 

Actually, it's worst than that. root-delegation-only does not just 
change the wildcard behavior. RRs which are in the tld itself instead of 
being delegated (like some of the ccTLDs) break if forced into 
root-delegation-only. This is one of the points in the IAB opinion 
concerning remedies causing other problems.

The issue itself is political, but it does have technical ramifications. 
It's still to be seen if ISC's cure is worse than the disease; as 
instead of detecting and stoping wildcard sets, it looks for delegation. 
It is also configurable to a degree that inexperienced operators will 
break their DNS implementations out of ignorance (like ignoring the ISC 
recomendation and root-delegating .de).

One should consider sponsored TLDs like .museum the exception. If you 
have filtering rules (like smtp) that are bypassed as a result of the 
wildcard, then those rules themselves should be changed. The sponsored 
TLDs and even a lot of the ccTLDs have a rather small subdomain base, 
allowing for unified agreement on changes made to the zone. The legacy 
TLD's should be rather static to ensure stability in DNS architecture 
overall. The subdomain base is massive, making communication and 
agreement on changes difficult. If I'm not mistaken, this is one of the 
duties of ICANN.

-Jack