[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Paul Vixie paul at vix.com
Wed Jul 12 17:36:50 UTC 2006


> > 3. because i want to keep DNS open to non-web applications.
> 
> I want to point out what we're releasing today in a test form for  greater
> things to come:
> 
> http://www.opendns.com/prefs/
> 
> I hope this takes care of issues #1, #2, and #3.  

no, it won't take #3 off the table, since it's not the prefs i select which
give rise to #3 -- rather, it's the prefs others select.  the mere existence
and availability of, as well as the default of, a feature whereby NXDOMAIN is
remapped to NOERROR/ANCOUNT>0 with an A RR pointing at an "ad server" will
have the effect of disincenting future non-web applications from using DNS.
the thinking is, "if this name is wrong, i'm going to get back a funny A RR
rather than an NXDOMAIN, which i'll then have to code workarounds for."

> This should also make clear that a Site Finder comparison is inappropriate.

according to http://www.icann.org/committees/security/ssac-report-09jul04.pdf
and http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html, the above
stated concern also applied to sitefinder.

> Back to our regularly scheduled DNSSEC threads... ;-)

not so fast.


More information about the dns-operations mailing list