[dns-operations] ``Ya.com says "The internet is mine" ''
Ed.Lewis at neustar.biz
Tue Aug 8 20:54:05 UTC 2006
>> For one thing, as you can deduce from the last sentence quoted,
>> they operate an open recursive name server.
After the discussions about this in March and April or so, my
impression is that an open recursive name service is not the serious
malady it has been claimed to be. A design flaw in the routing
system is the culprit in attacks that have made use of open recursive
>> This implies that an application that's aware of their
>> DNS "standards", will be able to tell synthesized from real.
I can't parse that. But I'll respond about "synthesized" and "real."
There is no difference, in a DNS response, between a synthesized and
so-called real record. Yes, you can tell in DNSSEC is a wildcard was
employed, but the truth is that the protocol does not accommodate
making a distinction between a zone being updated rapidly and a
server is generating responses on the fly. All responses are "real"
- whether the answer was entered manually or the result of an
algorithmic synthesis does not matter.
What does matter is the RFC 2181 notion of trustworthiness of a response.
>> This goes to emphasize the statement in the subject line,
>> in more than the original meaning. People invent their own
>> DNS protocols time and again, leading to varying levels of
>> pain and/or breakage.
My assessment is that the subject line is a hyperbole. If you ask
the server for an existing name, does it send a "false" answer? I
checked a small sample and the answer is no. Conjecture is that they
only "mess" with what does not exist.
It bothers me that folks get heartburn over "false" negative answers.
(There's debate whether DNSSEC ought to have covered negative
answers.) If it matters to know if a domain is registered, use the
correct protocol for that - WhoIs or hopefully someday IRIS. The DNS
is not the contents of a registry, DNS is a "report" out of a
registry database that may be mucked with.
Is the point of this message to promote DNSSEC? Or is the point to
say that ISPs that offer their own filtered version of DNS to their
subscribers are evil?
Edward Lewis +1-571-434-5468
Soccer/Futbol. IPv6. Both have lots of 1's and 0's and have a hard time
catching on in North America.
More information about the dns-operations