Arvel Hathcock wrote:
Is there a sufficiently useful degree of benefit to warrant the
(considerable) cost of development, deployment, and use?
What is this question in reference to? The notion of NXDOMAIN lookups or
ADSP in general?
Very sorry for being so cryptic. While I view the questions as applicable for
any effort, in this case I meant them with respect to any 'protect the
sub-tree' effort. That was why my following comments referred to cousin names.
Is the benefit long-term?
A cousin domain is sufficiently trivial to use so as to make the intended
protection against use of sub-domains meaningless.
That is just a restatement of the view which asserts that because ADSP
can't protect domains you don't control you therefore needn't bother
protecting those you do.
My point is that the effective "protection" is zero.
While perhaps it closes off some particular names, it does not close off the
class of attack at all.
It is one thing to have a mechanisms that makes it incrementally more
difficult for an attacker to succeed. It is quite another to make it no harder
at all. If all the attacker has to do is register a new name and use a
string-replacement on their previous attack, we do not have any meaningful
So the question is what sort of mechanism is going to benefit from
locking sub-domains, but not cousin domains? How is the benefit
I don't understand the question but I suspect it's a variant of what's
already been asked and answered. Is there something new here?
Asked, yes. Answered, I don't think so.
NOTE WELL: This list operates according to