inline
On Tue, 16 Sep 2003, Bruce Campbell wrote:
On Tue, 16 Sep 2003, Edward Lewis wrote:
At 14:18 +0100 9/16/03, Zefram wrote:
It is necessary that the wire protocols distinguish between existence and
non-existence of resources in a standard manner (NXDOMAIN in this case)
in order to give the client the choice of how to handle non-existence.
[ on dns not the best choice for authoritative non-existence ]
are not in the reverse DNS map. So, to those who were relying on DNS
for "existence" or "legitimacy," perhaps they need to consider an
alternate method. (Namely something like whois or crisp.)
I'm not sure whether thats a good idea. The main fuss at the moment,
apart from Verisign acting without consultation, is that a lot of
automated software makes the assumption that 'NXDOMAIN' means 'Does Not
Exist'. Adding the wildcard removes this assumption, and removes DNS as a
useful stateless low-overhead method of existence-verification.
Err, actually, its the opposite that they are assuming. They assume that
lack of an NXDOMAIN means the domain does exist. That is an invalid
assumption.
For these items of software to change from using a stateless method of
existence-verification with low overhead, to using a semi-stateless method
of existence-verification with high overhead, is something akin to the Y2K
bug in scope, albeit without all the hype.
The correct way to check for "domain existance" for email is to lookup an
MX record.
Operationally, having one's not-low-overhead whois server being hit by
automated queries solely for existence-verification is a terrible state of
affairs.
One shouldn't be doing whois queries. One just wants to know if the domain
of the sender can receive email, back.
--Dean