[dns-operations] DNS whitelisting

[Gadi Evron]

David Ulevitch wrote:
> 
> On Mar 7, 2006, at 2:04 PM, Gadi Evron wrote:
> 
>> Okay, well - not on the protocol level, a DNS server which is  registered
>> with a white-list is one more reason to "trust" it. You don't have to
>> have every DNS server in the world. The ones we may have on such a  list
>> will still be of some added value.
> 
> 
> Note: The good authoritative DNS servers rarely change, occasional  
> additions.  The bad authoritative DNS servers change with extreme  
> frequency in the range of hours or minutes.
> Remember how fast flux uses this in the same way for A records and  such 
> -- it also happens to NS records, albeit a bit slower.  I, and  others, 
> are now tracking this. (more to come later)
> 
>> Caveats:
>> Defining what Trust is, i.e., can be as simple as checked once a  week to
>> make sure it doesn't allow relay from the world.
> 
> 
>> It's a use-if-you-like list, I don't see it as a FUSSP and it's a good
>> start for a future blacklisting possibility to page the community.
> 
> 
> When things don't work because some network operator is blocking your  
> listed DNS resolver I doubt the first thing anyone will think is  "Gee, 
> I must be running an open DNS resolver and thus have been added  to a 
> blacklist."  That comes about 1000th after "check cables, whois,  zones, 
> power, ping, gods, demons, daemons, karma, lottery numbers,  weather, etc."

I am not arguing the blacklist point, see the subject line.
:)

> linuxbox.org was an open DNS relay -- should I really be blocking its  
> users from resolving our ~1,000,000 resource records at everydns?  I  
> don't think so.  Plus, how would you ever be able to send me email  
> again? ... on second thought... j/k :-)

What you see and what you think you see are not always the same thing. :)

Not everything has to be an honey pot, either.