Hmmn. We can't even get people to deploy a new DNS record type within
an existing well defined spec, and you're proposing a new scheme, ...
Thats because it means upgrading their DNS server, something no one
wants to do.
I look forward to learning why installing a new service which requires
upgrades to firewalls and NAT is easier than upgrading a DNS server.
I agree that people are reluctant to upgrade a DNS server, but they
seem to me far more reluctant to add a new server with unknown loads
and unknown security issues.
Its time for something new, and there is no real reason why we
shouldn't have a PROPER and DEDICATED service to deal with these
questions rather than tossing it in DNS just because thats easy.
DNS is vulnerable to the very thing you are complaining about, a DoS
attack.
I also look forward to hearing why your new service would be immune to
the attacks that people make on DNS. If you want to publish
per-domain data, DNS is exactly the right way to do it. That's what
it's for. If you think that DNS is supposed to be a static service
that only handles IP addresses and MX records, this might be a good
time to go back and review all of the new DNS types that people have
played with over the years.
Furthermore, who cares if someone uses it to DoS you? I assure you,
there are FAR better and MORE effective ways to take someone's
connection down,
I'm not saying that bad guys will say "hey, we're going to DDOS John"
and then will send spam designed to make your system attack me.
They'll say "hey, we're going to keep sending lots of spam with forged
return addresses" and then your scheme will by its nature DDOS the
people whose addresses they're forging.
I don't have an OC3, I only have a T1. That is plenty to handle all
of the mail that I send and receive (even all the incoming spam, for
now at least), but it is nowhere near enough to handle per-message
queries about all of the spam everywhere in the world that happens to
have one of my addresses forged into it.
If you want to build some sort of C/R system, I encourage you ...
charter a C/R working group ... If people want to try it, fine,
the world can do some experiments to see what happens and a draft
standard will let me know which ports to block in my router.
I've already done this (designed the C/R system). Whilst you start out
with a great idea, and I'm nodding my head thinking "yeah John is right
I should take that path", you end your paragraph unnecessarily with a
rude and poor attempt a humour, one I do not appreciate and one that is
out of line with your reputation
I block incoming C/R attempts now and I intend to keep doing so. It's
pure self defense. Why do you think I'm joking about blocking DDOSes?
R's,
John