On-going Internet Emergency and Domain Names
Dave Crocker
dhc2 at dcrocker.net
Sun Apr 1 14:10:48 UTC 2007
Paul Vixie wrote:
> on any given day, there's always something broken somewhere.
>
> in dns, there's always something broken everywhere.
The catch-phrases you come up with are delightful. Catchy and deeply useful.
Would that more folk would take them to heart, for their implications.
> since malware isn't breaking dns, and since dns not a vector per se, the
> idea of changing dns in any way to try to control malware strikes me as
> a way to get dns to be broken in more places more often.
Although there are times to consider pursuing an ugly-but-expeditious path,
you've made the point that the effects are long-term, while the symptoms might
only be short-term.
Given the complexity of the abuse space, it's worth thinking in terms of basic
benefit in the change, while using the immediate situation merely as a
motivator: Is the change something that makes sense on its own, independent
of the current abuse manifestation? If so, then go ahead and do it. If not,
the odds are high that it will only be part of a process of adding warts to warts.
> fundamentally, this isn't a dns technical problem, and using dns technology
> to solve it will either not work or set a dangerous precedent. and since
> the data is authentic, some day, dnssec will make this kind of poison
> impossible.
I was sitting at a bar, one Saturday, many years ago. Behind the bartender
was a sign that said "Free beer tomorrow". We were in an alcohol-paranoid
state, so I asked the bartender about the sign, since I knew they'd be closed
on Sunday. His comment was that tomorrow never comes.
Someday, indeed.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
More information about the NANOG
mailing list