Interesting new dns failures

Chris L. Morrow christopher.morrow at verizonbusiness.com
Wed May 23 04:01:30 UTC 2007



On Tue, 22 May 2007, Roger Marquis wrote:

>
> > Why are people trying to solve these problems in the core?
>
> Because that's the only place it can be done.

it is A PLACE, not necessarily THE PLACE. With every decision as to where
there are tradeoffs, be prepared to accept/defend them.

>
> > These issues need to and must be solved at the edge.
>
> Been there, done that, with smtp/spam, netbios, and any number of
> other protocols that would also be ideally addressed at the source or
> edge but, in reality, cannot.
>

maybe this is also a definition problem? "what is the core" and "what is
the edge" in this discussion?

> > These issues should not be "solved" by the registry operators or
> > root server operators, that's very dangerous.
>
> Do you know that it is dangerous to fix problems at the core or are
> you speculating?  If you can cite specific examples please do.  Simply

it is dangerous, making assumptions about how people use a basic plumbing
service is what gets people into trouble, ask verisign about sitefinder.

much of this discussion of mitigating this issue revolves around the
'belief' that 'no one should/would ever want to rotate NS records around
every five minutes'. Making statements that include absolutes is bound to
be problematic.

What if, for some reason unknown today, people thought that pushing around
NS records regularly was helpful to their application?  What if it were
automated into a product like bittorrent or other widely deployed thing?
What if the usage wasn't for 'where is www.sun.com' but as a signalling
method or metric/best-path decision process that was never revealed to the
end users?

you simply can't know what options folks might use in future applications
when it comes to basic plumbing things. people expect basic plumbing to
'just work' and 'just work according to the standards'. giving back
falsified information is bound to generate problems (see sitefinder for a
quick/simple example).

>
> Can you say what that 'anything else' might consist of?

Sure work on an expedited removal process inside a real procedure from
ICANN down to the registry. Work on a metric and monetary system used to
punish/disincent registrys from allowing their systems to be abused. Work
on a service/solution for the end-user/enterprise that allows them to take
action based on solid intelligence in a timely fashion with tracking on
the bits of that intelligence.

three options, go play :)

-Chris



More information about the NANOG mailing list