Interesting new dns failures
David Ulevitch
davidu at everydns.net
Thu May 24 07:01:03 UTC 2007
Douglas Otis wrote:
>
> On May 22, 2007, at 2:16 PM, Gadi Evron wrote:
>> On Tue, 22 May 2007, David Ulevitch wrote:
>>
>>> These questions, and more (but I'm biased to DNS), can be solved at
>>> the edge for those who want them. It's decentralized there. It's
>>> done the right way there. It's also doable in a safe and fail-open
>>> kind of way.
>>>
>>> This is what I'm talking about.
>>
>> Agreed.
>
> Gadi,
>
> What is the downside of a "preview" of zones being published by a
> TLD? Previews could be on a 12 or 24 hour cycle. This would enable
> defenses at the edge by disabling fast-flux outright. There could be
> exceptions, of course. When millions of domains are in rapid flux
> daily, few protective schemes are able to sustain or afford the
> dispersion of raw threat information. In addition, these raw updates
> arrive too late at that. A "preview" would not change how the core
> works, only how fast changes occur, while also dramatically reducing
> the amount data required for comprehensive protections at the edge.
>
> This would be a policy change at the core that enables defenses at the
> edge.
Lots of people already track newly added domains. Rick Wesson runs a
feed called Day old bread that is just such a feed.
Again, good idea, but doesn't belong in the core. If I register a
domain, it should be live immediately, not after some 5 day waiting
period. On the same token, if you want to track new domains and not
accept any email from me until my domain is 5 days old, go for it. Your
prerogative.
-david
>
> -Doug
>
More information about the NANOG
mailing list