> Courts are likely to support the position that Verisign has control of .net
> and .com and can do pretty much anything they want with it.ISC has made root-delegation-only the default behaviour in the new bind,
how about drafting up an RFC making it an absolute default requirement for
all DNS?-Dan
That would be making a fundamental change to the DNS
to make wildcards illegal anywhere. Is that what you
want?
--bill
no it wouldnt. it would ust make wildcards illegal in top level domains,
not subdomains.
-Dan
it would ust make wildcards illegal in top level domains,
not subdomains.
there are tlds with top level wildcards that are needed and
in legitimate use.
verisign has not done anything strictly against spec. this
is a social and business issue.
all this noise and bluster is depressing. it indicates that
we are in a very quickly maturing industry because a lot of
probably-soon-to-be-ex engineers have too much time on their
hands.
randy
Randy Bush wrote:
it would ust make wildcards illegal in top level domains, not subdomains.
there are tlds with top level wildcards that are needed and
in legitimate use.verisign has not done anything strictly against spec. this
is a social and business issue.
And this in itself indicates a possible failure in our model. When someone can do something that causes so much outrage, and we the community have no recourse, something is wrong. Maybe we're in the realm of politics, but our implementations reflect our values.
Do you feel the same today about the GPG/PGP v. X.509 as you did before Verisign decided to become an unauthorized interloper? Might we have a standards problem with SSL, because people cannot simply NOT trust Verisign certs? After all, how many certificates can you get out of SSL for a server or a client?
all this noise and bluster is depressing. it indicates that
we are in a very quickly maturing industry because a lot of
probably-soon-to-be-ex engineers have too much time on their
hands.
I take a different view. If people who are upset with Verisign's change DON'T say anything, then there's no reason for Verisign to change. I suspect that the better forum may be one's Congress person...
Eliot
Dan Hollis wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS?
That would be making a fundamental change to the DNS
to make wildcards illegal anywhere. Is that what you
want?no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains.
Actually, it's worst than that. root-delegation-only does not just change the wildcard behavior. RRs which are in the tld itself instead of being delegated (like some of the ccTLDs) break if forced into root-delegation-only. This is one of the points in the IAB opinion concerning remedies causing other problems.
The issue itself is political, but it does have technical ramifications. It's still to be seen if ISC's cure is worse than the disease; as instead of detecting and stoping wildcard sets, it looks for delegation. It is also configurable to a degree that inexperienced operators will break their DNS implementations out of ignorance (like ignoring the ISC recomendation and root-delegating .de).
One should consider sponsored TLDs like .museum the exception. If you have filtering rules (like smtp) that are bypassed as a result of the wildcard, then those rules themselves should be changed. The sponsored TLDs and even a lot of the ccTLDs have a rather small subdomain base, allowing for unified agreement on changes made to the zone. The legacy TLD's should be rather static to ensure stability in DNS architecture overall. The subdomain base is massive, making communication and agreement on changes difficult. If I'm not mistaken, this is one of the duties of ICANN.
-Jack
Folks,
And this in itself indicates a possible failure in our model. When
someone can do something that causes so much outrage, and we the
community have no recourse, something is wrong. Maybe we're in the
realm of politics, but our implementations reflect our values.
Verisign effectively disabled an error response. The response would not exist
in the protocol if it were not to be used.
Hence, Versign changed the protocol.
That's a technical violation of the standard, not a social or business one.
Folks are free to negotiate their own version of protocols. However, when a
provider imposes a change by fiat, they have rendered the work technically
proprietary.
The IAB and the ICANN advisory panel reports characterise the technical issues
carefully and thoroughly. They make clear that the technical and operational
ramifications of this change are massive.
/d
It's still to be seen if ISC's cure is worse than the disease; as
instead of detecting and stoping wildcard sets, it looks for delegation.
that's because wildcard ("synthesized") responses do not look different
on the wire, and looking for a specific A RR that can be changed every day
or even loadbalanced through four /16's that may have real hosts in them
seems like the wrong way forward.
And the usual US-centric view...
Which congress person does Demon Netherlands, T-dialin, Wanadoo
France, Tiscali etc. go to?
Jim Segrave wrote:
And the usual US-centric view...
Which congress person does Demon Netherlands, T-dialin, Wanadoo
France, Tiscali etc. go to?
I recognize it sounds U.S.-centric, but quite frankly since the U.S. Department of Commerce claims ownership here, I don't have a any grand more politically correct answer for you.
Eliot
Paul Vixie wrote:
It's still to be seen if ISC's cure is worse than the disease; as instead of detecting and stoping wildcard sets, it looks for delegation.
that's because wildcard ("synthesized") responses do not look different
on the wire, and looking for a specific A RR that can be changed every day
or even loadbalanced through four /16's that may have real hosts in them
seems like the wrong way forward.
See the NANOG archives for my post reguarding wildcard caching and set comparison with additional resolver functionality for requesting if the resolver wishes to receive wildcards or NXDOMAIN.
-Jack