Verisign Responds
Jack Bates
jbates at brightok.net
Tue Sep 23 19:48:38 UTC 2003
Dan Hollis wrote:
> On Tue, 23 Sep 2003 bmanning at karoshi.com wrote:
>
>>>On Mon, 22 Sep 2003, Dave Stewart wrote:
>>>
>>>>Courts are likely to support the position that Verisign has control of .net
>>>>and .com and can do pretty much anything they want with it.
>>>
>>>ISC has made root-delegation-only the default behaviour in the new bind,
>>>how about drafting up an RFC making it an absolute default requirement for
>>>all DNS?
>>
>> That would be making a fundamental change to the DNS
>> to make wildcards illegal anywhere. Is that what you
>> want?
>
>
> no it wouldnt. it would ust make wildcards illegal in top level domains,
> not subdomains.
>
Actually, it's worst than that. root-delegation-only does not just
change the wildcard behavior. RRs which are in the tld itself instead of
being delegated (like some of the ccTLDs) break if forced into
root-delegation-only. This is one of the points in the IAB opinion
concerning remedies causing other problems.
The issue itself is political, but it does have technical ramifications.
It's still to be seen if ISC's cure is worse than the disease; as
instead of detecting and stoping wildcard sets, it looks for delegation.
It is also configurable to a degree that inexperienced operators will
break their DNS implementations out of ignorance (like ignoring the ISC
recomendation and root-delegating .de).
One should consider sponsored TLDs like .museum the exception. If you
have filtering rules (like smtp) that are bypassed as a result of the
wildcard, then those rules themselves should be changed. The sponsored
TLDs and even a lot of the ccTLDs have a rather small subdomain base,
allowing for unified agreement on changes made to the zone. The legacy
TLD's should be rather static to ensure stability in DNS architecture
overall. The subdomain base is massive, making communication and
agreement on changes difficult. If I'm not mistaken, this is one of the
duties of ICANN.
-Jack
More information about the NANOG
mailing list