Hey, SiteFinder is back, again...

Patrick W. Gilmore patrick at ianai.net
Mon Nov 5 16:52:02 UTC 2007

On Nov 5, 2007, at 10:54 AM, Andrew Sullivan wrote:
> On Sun, Nov 04, 2007 at 08:32:25AM -0500, Patrick W. Gilmore wrote:
>> A single provider doing this is not equivalent to the root servers
>> doing it.  You can change providers, you can't change "." in DNS.
> This is true, but Verisign wasn't doing it on root servers, IIRC, but
> on the .com and .net TLD servers.  Not that that's any better.

Touché.  Guess I wasn't awake when I wrote that.  But .com/.net is  
still bad (as you say).

> The last time I heard a discussion of this topic, though, I heard
> someone make the point that there's a big difference between
> authority servers and recursing resolvers, which is the same sort of
> point as above.  That is, if you do this in the authority servers for
> _any_ domain (., .com, .info, or .my.example.org for that matter),
> it's automatically evil, because of the meaning of "authority".  One
> could argue that it is less evil to do this at recursive servers,
> because people could choose not to use that service by installing
> their own full resolvers or whatever.  I don't know that I accept the
> argument, but let's be clear at least in the difference between doing
> this on authority servers and recursing resolvers.

I would argue against such a blanket statement.  Doing this in an  
authority for a TLD is bad, because most people don't have a choice of  
TLD.  (Or at least think they don't.)

But if I want to put in a wildcard for *.ianai.net, then there is  
nothing evil about that.  In fact, I've been doing so for years (just  
'cause I'm lazy), and no one has even noticed.  It is my domain, I  
should be allowed to do whatever I want with it as long as I pay my  
$10/year and don't use it to abuse someone else.

Hijacking user requests on caching name servers is very, very bad,  
because 1) the user probably doesn't know they are being hijacked, and  
2) even if the user did, most wouldn't know how to get around it.  So  
you're back to the TLD authority problem, there is no choice in the  


More information about the NANOG mailing list