Interesting new dns failures

Douglas Otis dotis at mail-abuse.org
Thu May 24 05:21:55 UTC 2007



On May 22, 2007, at 2:16 PM, Gadi Evron wrote:
> On Tue, 22 May 2007, David Ulevitch wrote:
>
>> These questions, and more (but I'm biased to DNS), can be solved  
>> at the edge for those who want them.  It's decentralized there.   
>> It's done the right way there.  It's also doable in a safe and  
>> fail-open kind of way.
>>
>> This is what I'm talking about.
>
> Agreed.

Gadi,

What is the downside of a "preview" of zones being published by a  
TLD?  Previews could be on a 12 or 24 hour cycle.  This would enable  
defenses at the edge by disabling fast-flux outright.  There could be  
exceptions, of course.  When millions of domains are in rapid flux  
daily, few protective schemes are able to sustain or afford the  
dispersion of raw threat information.  In addition, these raw updates  
arrive too late at that.  A "preview" would not change how the core  
works, only how fast changes occur, while also dramatically reducing  
the amount data required for comprehensive protections at the edge.

This would be a policy change at the core that enables defenses at  
the edge.

-Doug




More information about the NANOG mailing list