Interesting new dns failures

David Ulevitch davidu at
Thu May 24 07:01:03 UTC 2007

Douglas Otis wrote:
> On May 22, 2007, at 2:16 PM, Gadi Evron wrote:
>> On Tue, 22 May 2007, David Ulevitch wrote:
>>> These questions, and more (but I'm biased to DNS), can be solved at 
>>> the edge for those who want them.  It's decentralized there.  It's 
>>> done the right way there.  It's also doable in a safe and fail-open 
>>> kind of way.
>>> This is what I'm talking about.
>> Agreed.
> Gadi,
> What is the downside of a "preview" of zones being published by a 
> TLD?  Previews could be on a 12 or 24 hour cycle.  This would enable 
> defenses at the edge by disabling fast-flux outright.  There could be 
> exceptions, of course.  When millions of domains are in rapid flux 
> daily, few protective schemes are able to sustain or afford the 
> dispersion of raw threat information.  In addition, these raw updates 
> arrive too late at that.  A "preview" would not change how the core 
> works, only how fast changes occur, while also dramatically reducing 
> the amount data required for comprehensive protections at the edge.
> This would be a policy change at the core that enables defenses at the 
> edge.
Lots of people already track newly added domains.  Rick Wesson runs a 
feed called Day old bread that is just such a feed.

Again, good idea, but doesn't belong in the core.  If I register a 
domain, it should be live immediately, not after some 5 day waiting 
period.  On the same token, if you want to track new domains and not 
accept any email from me until my domain is 5 days old, go for it.  Your 


> -Doug

More information about the NANOG mailing list