Interesting new dns failures
davidu at everydns.net
Thu May 24 07:01:03 UTC 2007
Douglas Otis wrote:
> On May 22, 2007, at 2:16 PM, Gadi Evron wrote:
>> On Tue, 22 May 2007, David Ulevitch wrote:
>>> These questions, and more (but I'm biased to DNS), can be solved at
>>> the edge for those who want them. It's decentralized there. It's
>>> done the right way there. It's also doable in a safe and fail-open
>>> kind of way.
>>> This is what I'm talking about.
> What is the downside of a "preview" of zones being published by a
> TLD? Previews could be on a 12 or 24 hour cycle. This would enable
> defenses at the edge by disabling fast-flux outright. There could be
> exceptions, of course. When millions of domains are in rapid flux
> daily, few protective schemes are able to sustain or afford the
> dispersion of raw threat information. In addition, these raw updates
> arrive too late at that. A "preview" would not change how the core
> works, only how fast changes occur, while also dramatically reducing
> the amount data required for comprehensive protections at the edge.
> This would be a policy change at the core that enables defenses at the
Lots of people already track newly added domains. Rick Wesson runs a
feed called Day old bread that is just such a feed.
Again, good idea, but doesn't belong in the core. If I register a
domain, it should be live immediately, not after some 5 day waiting
period. On the same token, if you want to track new domains and not
accept any email from me until my domain is 5 days old, go for it. Your
More information about the NANOG