Root Server Operators (Re: What *are* they smoking?)

Mailman List Mirror (Read Only)
1

Can you also program something to do this for all root zones,
i.e. something like 'zone ".*" { type deligation-only; };'

no. not just because that's not how our internal hashing works, but
because "hosted" tld's like .museum have had wildcards from day 1 and
the registrants there are perfectly comfortable with them. there's
no one-policy-fits-all when it comes to tld's, so we would not want
to offer a knob that tried to follow a single policy for all tld's.

And make it default configuration for new bind releases...

never. not for your example, nor for any set of tld's. the default for
bind will be what it's always been -- to respect the autonomy of the
zone administrator/publisher. overriding that autonomy has to be a
local act by a local name server administrator who is fully conscious of
the impact of their configuration change. once, with "check-names", isc
was accused of "legislating from the bench". never again.

2

Paul Vixie wrote:

no. not just because that's not how our internal hashing works, but
because "hosted" tld's like .museum have had wildcards from day 1 and
the registrants there are perfectly comfortable with them. there's
no one-policy-fits-all when it comes to tld's, so we would not want
to offer a knob that tried to follow a single policy for all tld's.

I agree Paul. This is a policy issue and not a technical issue. TLDs that are sponsored or setup with a specific design sometimes do and should be allowed to use the wildcard for the tld. The issue has become that net and com are public trusts and changes were made to them without authorization by the public and damage was caused as a result.

Just as root server operators are subject to operating as IANA dictates, so should Verisign be subject to operating as IAB and ICANN dictate. The Internet as a whole depends on the predictability of TLDs. It is impossible to maintain a security policy based on unpredictable information.

I would recommend that the TLDs which do utilize wildcards setup or restrict such use in a predictable manner. While historically it has not been an issue, such as nonexistant .museum domains being forged in email envelopes, such practices could be exploited at a later time. The ability to recognize that a domain is not registered and should not be used is paramount in basic forgery detection.

One method that might be considered for recursive servers as well as resolvers, is the ability to specify if a wildcard entry will be accepted or not, perhaps at any level or just at the 2nd level. Cached records which are wildcards could be marked as such so that subsequent queries could specify desire of accepting or not accepting the wildcard entry. A web browser, for example, which supports its own redirections for NXDOMAIN, might wish to ignore the wildcard records, as would smtp servers.

While I believe that net and com should never have wildcards, the ability to detect, cache, and override wildcards for tld's such as .museum when the application requires it is paramount. I realize that the client software can perform the queries and detection itself, but in many cases, there wouldn't be an effecient way to cache the information without the resolver and recursive cache being aware of the process and performing such detection would require two queries versus one.

-Jack

3

One method that might be considered for recursive servers as well as

> resolvers, is the ability to specify if a wildcard entry will be
> accepted or not, perhaps at any level or just at the 2nd level. Cached
> records which are wildcards could be marked as such so that subsequent
> queries could specify desire of accepting or not accepting the wildcard
> entry. A web browser, for example, which supports its own redirections
> for NXDOMAIN, might wish to ignore the wildcard records, as would smtp
> servers.

Verisign is at least using 15 minute ttls on the wildcards. Not that
I think a wildcard in .com/.net is a great idea, but with the low ttls,
it won't cache that long.

> While I believe that net and com should never have wildcards, the
> ability to detect, cache, and override wildcards for tld's such as
> .museum when the application requires it is paramount. I realize that
> the client software can perform the queries and detection itself, but in
> many cases, there wouldn't be an effecient way to cache the information
> without the resolver and recursive cache being aware of the process and
> performing such detection would require two queries versus one.

What if there was a requirement to add something that would work as a
wildcard, but also be easily detected as a wildcard with one additional
query? thisisawildcard.*.com IN A 127.0.0.1 or something. One additional
query, and applications can decide whether they want a wildcard result or
not. That could be added to spam filters to make them work again.

I'm not sure if one can use wildcards in that way, but that would solve
the problem and let them keep their wildcards, and put the ball into
the court of the application developers.

Aaron

4

Aaron Dewell wrote:

What if there was a requirement to add something that would work as a
wildcard, but also be easily detected as a wildcard with one additional
query? thisisawildcard.*.com IN A 127.0.0.1 or something. One additional
query, and applications can decide whether they want a wildcard result or
not. That could be added to spam filters to make them work again.

One additional query is the problem. For example, a mail server running sendmail with a bind recursor. If sendmail has to check for the wildcard, it will have to check for *.com as well as example.com and do a set comparison to see if example.com is a wildcard. For every new process, this has to be repeated, doubling the number of queries on the recusor.

If, however, the recursor performed the processes, caching *.com for the TTL and recognizing that all domains resolving to its set is also a wildcard, and caching/marking them as such, then the resolver can request the record, without wildcards, on behalf of sendmail. This means one query to the recursor who has properly cached 1) the domain record, 2) if the domain record is a wildcard, and 3) the wildcard set. This is about the minimal number of queries that can be performed across the board. Applications that want to accept the wildcard would ask the record normally (accepting wildcard).

-Jack

5

Aaron Dewell wrote:

>
> > What if there was a requirement to add something that would work as a
> > wildcard, but also be easily detected as a wildcard with one additional
> > query? thisisawildcard.*.com IN A 127.0.0.1 or something. One additional
> > query, and applications can decide whether they want a wildcard result or
> > not. That could be added to spam filters to make them work again.
>
> One additional query is the problem. For example, a mail server running
> sendmail with a bind recursor. If sendmail has to check for the
> wildcard, it will have to check for *.com as well as example.com and do
> a set comparison to see if example.com is a wildcard. For every new
> process, this has to be repeated, doubling the number of queries on the
> recusor.

The comparison could be eliminated with the thisisawildcard flag
or similar, but either way, yes, it doubles the number of lookups.
Not ideal, but it works, and given that Verisign is going to continue
to do what they are doing unless DoC or ICANN tells them not to (may or
may not happen), this makes a reasonable backup plan. If DoC and ICANN
won't tell them to knock it off, they might tell them to make it more
obvious in this way.

Yes, it's more overhead for everyone else to make up for their brilliant
marketing idea, but it would work. What other plan does everyone have
if ICANN says "Oh, it's ok, we don't mind, whatever they want to do
is fine"? How many people (realistically) are going to deploy the
ISC patch? When Paul Vixie says he doesn't really like it? And it's
only available for BIND 9?

As someone else pointed out, this battle is in a completely different
arena. MSN and AOL aren't going to implement the patch, guarenteed.
They _might_ redirect traffic to that IP to their own site. And only
that until a lawsuit gets filed.

The point is, this makes a reasonable backup plan. Far from ideal, but
we're dealing with a state-supported monopoly who can do whatever they
want. Get this in place, then think about how to throw the monopolies
out. This works in the meantime. They will likely compromise this far,
even if they won't back down.

If the IPv6 specs were modified somewhat, one could assign a prefix to
everyone and every organization, and use a registry to map them, like
the ID system that someone else mentioned (sorry, I don't have the email
in front of me). Those projects could be combined to solve the problem
for all time. That's a separate issue that needs more research.

> If, however, the recursor performed the processes, caching *.com for the
> TTL and recognizing that all domains resolving to its set is also a
> wildcard, and caching/marking them as such, then the resolver can
> request the record, without wildcards, on behalf of sendmail. This means
> one query to the recursor who has properly cached 1) the domain record,
> 2) if the domain record is a wildcard, and 3) the wildcard set. This is
> about the minimal number of queries that can be performed across the
> board. Applications that want to accept the wildcard would ask the
> record normally (accepting wildcard).

The TTL is 15 minutes, so your hypothetical server would be throwing away
it's cache every 15 minutes. Then re-querying everything. You'd have to
have a _lot_ of outgoing email to justify that.

This solution still requires increased overhead, and more modifications
to BIND. Which has more impact on your server, this BIND overhead, or one
additional query from your MTA? My guess is the query is cheaper overall.
And you have to convince ISC to implement these changes, or write them
yourself, then you have the potential cost of an unstable nameserver.
Overall, I'd take the one addition query based on the compromise solution.

Aaron

6

Aaron Dewell wrote:

The point is, this makes a reasonable backup plan. Far from ideal, but
we're dealing with a state-supported monopoly who can do whatever they
want. Get this in place, then think about how to throw the monopolies
out. This works in the meantime. They will likely compromise this far,
even if they won't back down.

I'm thinking security for the long term. Even if com and net are returned to their non-wildcard states, there are other tld's which will continue using wildcards. Subject to a wildcard bit being implemented to DNS, my suggested method allows for optimum performance and functionality when DNS is being used as part of a security model.

The TTL is 15 minutes, so your hypothetical server would be throwing away
it's cache every 15 minutes. Then re-querying everything. You'd have to
have a _lot_ of outgoing email to justify that.

I don't know about you, but I don't want to cache bogus information for longer than 15 minutes. If someone sends random-string domains as the envelope from to my mail server, I want the cache to purge itself quickly. Yet, if they are sending the same bad address to my mail server repetitively, I want my cache to hold the record briefly; say 15 minutes. I'd hate to see a spammer issuing jlkfsjklfsj.com 5,000 times to my mail server in rapid succession and my recursor have to ask for it every time. On the other side, I would hate to cache 100,000 bogus domains for 1 day, wasting cache.

This solution still requires increased overhead, and more modifications
to BIND. Which has more impact on your server, this BIND overhead, or one
additional query from your MTA? My guess is the query is cheaper overall.
And you have to convince ISC to implement these changes, or write them
yourself, then you have the potential cost of an unstable nameserver.
Overall, I'd take the one addition query based on the compromise solution.

My mail server doesn't use a bind recursor, so I'll end up making the change myself for that particular system. However, a solution needs to be devised for the long term. The best solution is a wildcard bit. Second to that, smart recursors and resolvers that can detect the wildcard.

-Jack