[dns-operations] Best Practices in DNS security

Paul Vixie paul at vix.com
Mon Mar 20 04:48:17 UTC 2006 

it's tomorrow now (UTC), relatively speaking, compared to when i wrote...

# > i usually don't answer somebody who sends five messages to the same
# > mailing list in a matter of a few hours,

...so i'll chip in another tidbit.

# Sorry about that but this is really a quite important issue to me so please
# make this one last exception.

no, geo, i will make no exceptions in your case.  you're welcome to post here
as long as you remain polite (which you are) and on-topic (which you've been)
but i am done corresponding with you on this topic.

instead i'll tell you what i told gadi evron and joe greco: do your homework,
pay attention, listen to what's being said around you, and when you can show
me that you're able to learn about DNS and able to ask intelligent questions
about DNS, i will be willing to try once again to talk to you about DNS.

note that i say that as an individual contributor, not as any kind of
moderator.  you have been polite, professional, and on-topic; no censure or
censorship is expressed or implied.  i'm just telling you, one individual
contributor to another, that you're not tall enough yet to ride this roller
coaster.

for example:

# > Mr. A runs a non-BCP38 network.
# 
# Mr A is the problem, lets deal with Mr A and leave the others alone. B and C
# are both victums.

your proposed approach for learning Mr. A's identity won't work.  moreover,
since UUNET-WorldCom-MCI is one such, and since we know that virtually nobody
will shun AS701 for its non-BCP38 behaviour, we therefore already know that
the identities of the world's collected Mr. A's will help us not at all.  (if
you shun traffic from some Mr. A's but not others, then the ones you shun can
get a TRO against you in a new york nanosecond on the basis of your selective
enforcement.)  (if you have no viable plan for using data, don't collect it.)

this is a deep technical topic full of many subtleties and landmines, and is
not going to reveal its marvelous internal nature to anyone who isn't willing
to put quite a lot more thought-rigor into it than you have shown me here.  i
have diligently answered your questions and complaints and suggestions, and
you have nevertheless continued stating the same questions and complaints and
suggestions, and that was all the faith, hope, and charity i had for you on
this topic for this moment.

More information about the dns-operations mailing list