[dns-operations] Getting rid of ISP's recursive DNS servers?(Was: Eircom "DNS Attacks" ?

Paul Vixie vixie at isc.org
Mon Jul 20 22:46:05 UTC 2009

> Date: Mon, 20 Jul 2009 20:32:08 +0200
> From: "Barber, Piet" <pbarber at verisign.com>
> ...
> ( Thank you _LDAP._TCP., .WPAD, .local and .localhost )

i'm expecting that someday the presence of a signed validated NSEC covering
.WPAD will be used as an excuse by caching validators not to query for any
of the subdomains thereof.  in this small way, DNSSEC will help clean up a
part of DNS that's not strictly security-related, that being that when we
see an NXDOMAIN for FOO.WPAD we do not receive an indication that .WPAD is
what does not exist.  (NXDOMAIN should have been scoped; DNSSEC can someday
become a workaround for this.)

> ...
> In our research for a root traffic and negative caching and such, it
> wasn't always a failure of NXDOMAIN that caused a re-query, but instead,
> a failure of different sorts.  RFC 4697, written a few years ago, still
> holds true for most of the junk-queries we get, especially those name
> servers stuck behind an improperly-configured ACL or firewall that won't
> let the answers get back to iterative resolver sending us the queries in
> the first place. 

sing it, brother!

More information about the dns-operations mailing list