Interesting new dns failures
dotis at mail-abuse.org
Thu May 24 05:21:55 UTC 2007
On May 22, 2007, at 2:16 PM, Gadi Evron wrote:
> On Tue, 22 May 2007, David Ulevitch wrote:
>> These questions, and more (but I'm biased to DNS), can be solved
>> at the edge for those who want them. It's decentralized there.
>> It's done the right way there. It's also doable in a safe and
>> fail-open kind of way.
>> This is what I'm talking about.
What is the downside of a "preview" of zones being published by a
TLD? Previews could be on a 12 or 24 hour cycle. This would enable
defenses at the edge by disabling fast-flux outright. There could be
exceptions, of course. When millions of domains are in rapid flux
daily, few protective schemes are able to sustain or afford the
dispersion of raw threat information. In addition, these raw updates
arrive too late at that. A "preview" would not change how the core
works, only how fast changes occur, while also dramatically reducing
the amount data required for comprehensive protections at the edge.
This would be a policy change at the core that enables defenses at
More information about the NANOG