At 14:18 +0100 9/16/03, Zefram wrote:
Yes, it is worse. Much worse. There is a fundamental difference between
this defaulting happening in the DNS and happening in a client program.
It is necessary that the wire protocols distinguish between existence and
non-existence of resources in a standard manner (NXDOMAIN in this case)
in order to give the client the choice of how to handle non-existence.
Here we go with DNS, wild card synthesis and existence again... ;)
I think there are a few separate issues here. One is understanding
the role of 'name errors' (the original name of NXDOMAIN) and wild
card synthesis in DNS. The other is understanding the difference
between DNS and registry contents. The operational issue is the
conditions under which the change was made.
As someone whose spent a lot of time studying DNS and currently is
editing a DNSEXT WG document on the topic of wild cards, what is
going on here is well within the protocol design of DNS. I can't see
an operational issue here either.
Having experience as the co-chair of PROVREG WG, I'd like to make a
case that the DNS isn't the best means to determine if an object
(even if it is a domain name) is registered - it's a first order
guess but not the last word. There are names registered that may not
have working servers (hence suspended from the DNS to prevent lame
delegations) or are otherwise reserved or suspended. There are
plenty of network address objects in use - in routing tables - that
are not in the reverse DNS map. So, to those who were relying on DNS
for "existence" or "legitimacy," perhaps they need to consider an
alternate method. (Namely something like whois or crisp.)
Operationally, at least the change was made on a Monday. But given
that there are other operational systems relying on the existing
conditions, advance notice would have been a good idea. In defense
of not giving the advance notice, it's sometimes not clear who is
impacted by a change because of the open nature of the Internet.
As someone who doesn't run spam tools (others do it for me), it
wasn't obvious to me until reading the threads of the impact of the
change on spam defenses. I can understand how someone in the spam
trenches would see the obvious impact, but be patient with others
that are not in the trenches with you.
PS - With DNSSEC, you'll be able to distinguish between synthesized
(wild card) answers and straight answers. If you want to see DNSSEC
because of this, get active in the the DNSEXT WG and help the effort
along.
PPS - Maybe this will raise the need for the CRISP WG to develop a protocol.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
Sponge Bob Square Pants? I'm still trying to figure out the Macarena.