Please don't get me wrong, I am really upset about VeriSigns "coup",
but there is more to fix than just .com/.net and not all white hats
are without big black spots ...
Right. This is why ISC is working on a real solution to the
overall problem. According to the article by Declan McCullagh at
<http://news.com.com/2100-1032_3-5077530.html>, there should be a fix
for this published by tomorrow.
the expectations for .com and .net to not
have wildcards were all set many years ago, and it's the violation of
those
expectations that's got people angry enough to publish patchware about
it.
New versions of BIND 9.{1,2,3} have just been released:
-- snip --
In response to high demand from our users, ISC is releasing a patch for
BIND
to support the declaration of "delegation-only" zones in
caching/recursive
name servers. Briefly, a zone which has been declared
"delegation-only" will
be effectively limited to containing NS RRs for subdomains, but no
actual
data outside its apex (for example, its SOA RR and apex NS RRset).
This can
be used to filter out "wildcard" or "synthesized" data from NAT boxes
or from
authoritative name servers whose undelegated (in-zone) data is of no
interest.
-- snip --
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk
website: http://www.chromatix.uklinux.net/
tagline: The key to knowledge is not to rely on people to teach you it.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg