[dns-operations] ``Ya.com says "The internet is mine" ''

Peter Dambier peter at peter-dambier.de
Tue Aug 8 21:17:48 UTC 2006


Edward Lewis wrote:
>>> For one thing, as you can deduce from the last sentence quoted,
>>> they operate an open recursive name server.
> 
> 
> After the discussions about this in March and April or so, my 
> impression is that an open recursive name service is not the serious 
> malady it has been claimed to be.  A design flaw in the routing 
> system is the culprit in attacks that have made use of open recursive 
> name servers.
> 
> 
>>> This implies that an application that's aware of their
>>> DNS "standards", will be able to tell synthesized from real.
> 
> 
> I can't parse that.  But I'll respond about "synthesized" and "real."
> 
> There is no difference, in a DNS response, between a synthesized and 
> so-called real record.  Yes, you can tell in DNSSEC is a wildcard was 
> employed, but the truth is that the protocol does not accommodate 
> making a distinction between a zone being updated rapidly and a 
> server is generating responses on the fly.  All responses are "real" 
> - whether the answer was entered manually or the result of an 
> algorithmic synthesis does not matter.
> 
> What does matter is the RFC 2181 notion of trustworthiness of a response.
> 
> 
>>> This goes to emphasize the statement in the subject line,
>>> in more than the original meaning. People invent their own
>>> DNS protocols time and again, leading to varying levels of
>>> pain and/or breakage.
> 
> 
> My assessment is that the subject line is a hyperbole.  If you ask 
> the server for an existing name, does it send a "false" answer?  I 
> checked a small sample and the answer is no.  Conjecture is that they 
> only "mess" with what does not exist.
> 
> It bothers me that folks get heartburn over "false" negative answers. 
> (There's debate whether DNSSEC ought to have covered negative 
> answers.)  If it matters to know if a domain is registered, use the 
> correct protocol for that - WhoIs or hopefully someday IRIS.  The DNS 
> is not the contents of a registry, DNS is a "report" out of a 
> registry database that may be mucked with.
> 
> Is the point of this message to promote DNSSEC?  Or is the point to 
> say that ISPs that offer their own filtered version of DNS to their 
> subscribers are evil?

ISPs that offer their own filtered version of DNS to their subscribers are evil.

That is what I learned when somebody registered ".local" in an alternative root.
We got complaints from customers with zeroconf on windows and Mac OS-X.

In fact it was the other way round. Neither Microsoft nor Apple thought there
might be nameservers answering for ".local"

There are applications arround that will break when they cannot find an
unpopulated space in DNS. They dont look in ".local" they try COM/NET/ORG
for whatever funny reason.

Cheers
Peter and Karin

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/




More information about the dns-operations mailing list