[dns-operations] No to port blocking! (Was: Why would an MTA issue an ANY query instead of an MX query?
warren at kumari.net
Tue Jun 12 14:54:21 UTC 2012
On Jun 12, 2012, at 4:14 AM, Stephane Bortzmeyer wrote:
> On Tue, Jun 12, 2012 at 03:32:56AM +0000,
> Vernon Schryver <vjs at rhyolite.com> wrote
> a message of 76 lines which said:
>> Joe and Joan should be using their ISP's validating, load balancing,
>> well (or at least somewhat) maintained DNS servers, just as they
>> should be using their ISP's SMTP systems.
> A strong NO here.
> Politically, it would be a big nail in Net
> Neutrality's coffin. Also, many ISP have lying resolvers and customers
> should NOT use them. From a security perspective, it would be
> catastrophic since the last mile is not secured, so the only safe way
> to run DNSSEC is to validate locally (which requires access to port 53
> if the ISP resolver is lying).
And it seems that the huge majority of "lying" is being performed at the ISP resolvers.
See the numerous papers on "NXDOMAIN rewriting", Paxfire / Xerocole / Barefruit, etc, one of the better of which is
Christian, Nicholas and Vern's "Redirecting DNS for Ads and Proﬁt" ( http://www.icir.org/christian/publications/2011-foci-dns.pdf )
There are also a huge number of really poorly run (and slow!) ISP recursive resolvers.
Having the ability to run your own validating recursive is critical…
> I leave these proposals to MAAWG and the Chinese government.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
"Go on, prove me wrong. Destroy the fabric of the universe. See if I care." -- Terry Prachett
More information about the dns-operations