On-going Internet Emergency and Domain Names
Chris L. Morrow
christopher.morrow at verizonbusiness.com
Sun Apr 1 22:11:28 UTC 2007
On Sun, 1 Apr 2007, Paul Vixie wrote:
> I've got no heartburn about deploying these technologies at a customer level,
> but my experience with both BIND's "check-names" facilty and VeriSign's
> sitefinder wildcard (*.COM) have taught me that it's best to creatively
> rulebreak at the edge, and keep the core pristine. I helped Dave build ICSS
> and I know that customers of that technology could easily white-out domains
> used for Gadi's 0-day and that it would be a good thing for them to do so.
The problem that I think you fear is that DNS is 'basic plumbing' (the
ICANN-SSAC had some term like this, which sticks in my head as 'basic
plumbing'...) and that messing with it where there is low confidence of
knowing WHY it's being used is not smart, or hazardous, or probably going
to cause larger problems.
On this I too agree, unless you can clearly scope your userbase and
clearly be accountable for the problems that may arise, messing with basic
plumbing is a bad, bad plan. The 'dns core' could be 'provider recursive
servers' or 'TLD servers' or 'root servers' or some combination of these.
As you move closer to the 'core' the userbase gets wider and more varied,
their intent is not divinable in their requests and there's likely a
higher chance you'll be doing something 'wrong' with their request if you
dont' stick to the 'standards compliant' answer.
>
> But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features
> like this. Or if they do come, I'd like them to come as a result of consensus
> driven protocol engineering (like inside the IETF) and take longer than "this
> week" to be defined. I hope this clarifies the incompatibility between me
> helping dave build ICSS (an edge solution) and me saying that whiting out
> malware domain names as a way to stop malware isn't a real (core) solution.
Right, ICSS should be used (in your example) as close to the 'edge' as
possible... or that's the intent of it, right? Let enterprise folks use
these things, they have attentive helpdesk/admin folks to unscrew what the
changes in basic plumbing have screwed up :)
More information about the NANOG
mailing list