Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?

Mailman List Mirror (Read Only)
1

> thats one aspect yes. the valdiation chain should tell
> you who signed the delegations. It won't lie.
> you will know that V'sign put that data there.

How frikking many hacks will we need to BIND9 to work around this braindamage?
One to stuff back in the NXDomain if the A record points there, another to
do something with make-believe DNSsec from them..... What's next?

  'splain "braindamage" in this context please.
  DNSSEC - signed data in the zone.
  wildcards - part of the spec.

  if vt.edu wants to place a:

    * in a 198.82.247.53
  
  in the vt.edu zone, why should anyone complain that now vt.edu
  doesn't return NXDOMAIN for all un-delegated entries? You want
  that everyone should hack the DNS to force NXDOMAINS for your
  wildcard? Feh.

  DNSSEC will tell a validating resolver the signature of each
  party that signed part of the chain. If Verisign wishes to
  sign bits of data that might exist under the delegation point
  they have responsibility for, I'm in favor. Its not "make-believe"
  ... or perhaps I don't understand your angst.

2

if vt.edu wants to place a:

  • in a 198.82.247.53

in the vt.edu zone, why should anyone complain that now vt.edu
doesn’t return NXDOMAIN for all un-delegated entries? You want
that everyone should hack the DNS to force NXDOMAINS for your
wildcard? Feh.

So you’re saying it’s OK when Verisign does the same exact thing one level up?
Or are you surprised that people are coding it for the Verisign case?

The difference is when we urinate in our zone of the DNS, it’s OUR zone.
When Verisign does it, they’re not urinating in THEIR .COM, they’re
urinating in a .COM they were holding in the public trust.

If in fact .COM is now Verisign’s playground rather than a public trust,
then that’s a different matter.

DNSSEC will tell a validating resolver the signature of each
party that signed part of the chain. If Verisign wishes to
sign bits of data that might exist under the delegation point
they have responsibility for, I’m in favor. Its not “make-believe”
… or perhaps I don’t understand your angst.

The point is they’re not signing data that might exist, they’re signing data that
doesn’t exist. If a query comes in for www.never-existed.com comes in, what
exactly is getting signed? (Yes, if it’s a synthesized reply based on a wildcard,
you can count the NXT’s and stuff to determine that - but I quite frankly don’t
trust the Verisign people to not intentionally obfuscate the replies to make this
impossible…)