[dns-operations] ``Ya.com says "The internet is mine" ''

Edward Lewis Ed.Lewis at neustar.biz
Tue Aug 8 20:54:05 UTC 2006


>>  For one thing, as you can deduce from the last sentence quoted,
>>  they operate an open recursive name server.

After the discussions about this in March and April or so, my 
impression is that an open recursive name service is not the serious 
malady it has been claimed to be.  A design flaw in the routing 
system is the culprit in attacks that have made use of open recursive 
name servers.

>>  This implies that an application that's aware of their
>>  DNS "standards", will be able to tell synthesized from real.

I can't parse that.  But I'll respond about "synthesized" and "real."

There is no difference, in a DNS response, between a synthesized and 
so-called real record.  Yes, you can tell in DNSSEC is a wildcard was 
employed, but the truth is that the protocol does not accommodate 
making a distinction between a zone being updated rapidly and a 
server is generating responses on the fly.  All responses are "real" 
- whether the answer was entered manually or the result of an 
algorithmic synthesis does not matter.

What does matter is the RFC 2181 notion of trustworthiness of a response.

>>  This goes to emphasize the statement in the subject line,
>>  in more than the original meaning. People invent their own
>>  DNS protocols time and again, leading to varying levels of
>>  pain and/or breakage.

My assessment is that the subject line is a hyperbole.  If you ask 
the server for an existing name, does it send a "false" answer?  I 
checked a small sample and the answer is no.  Conjecture is that they 
only "mess" with what does not exist.

It bothers me that folks get heartburn over "false" negative answers. 
(There's debate whether DNSSEC ought to have covered negative 
answers.)  If it matters to know if a domain is registered, use the 
correct protocol for that - WhoIs or hopefully someday IRIS.  The DNS 
is not the contents of a registry, DNS is a "report" out of a 
registry database that may be mucked with.

Is the point of this message to promote DNSSEC?  Or is the point to 
say that ISPs that offer their own filtered version of DNS to their 
subscribers are evil?
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Soccer/Futbol. IPv6.  Both have lots of 1's and 0's and have a hard time
catching on in North America.



More information about the dns-operations mailing list