At 13:12 -0400 9/16/03, Keith Moore wrote:
I strongly disagree. The DNS is the ultimate authority on whether a
domain exists, since the way you create a domain is by making an
entry in the DNS. Making existence of a domain depend on a
separate registry makes no sense and is inconsistent with
longstanding practice.
DNS is the ultimate authority on whether there is an DNS answer to a
DNS query, but that's about it. What a DNS server answers is based
on what is in the registry it represents.
What a DNS server answers is based on what is in the zone it represents.
Not all zones have registries.
To quote what I wrote on the provreg list in
http://www.cafax.se/ietf-provreg/maillist/2001-09/msg00164.html:
"DNS names [...] are limited to 255 octets, which is about 2K bits,
and 2^2k possibilities minus special cases. Boom - all names exist."
You didn't actually cite any support for your statement. And the
existence of the NXDOMAIN response code contradicts that statement.
The point is, before saying that DNS makes any statement about
"existence" you need to define "exists for what purpose."
That's beside the point. NXDOMAIN is still a meaningful condition even
though you can't tell what a domain means if it does exist.
that's not the same thing at all. DNS is not the authority for
whether a device is connected to the net. DNS is the authority on
whether a DNS name exists.
In engineering the DNS, "com." has been and still is a peculiar case
and there has been the temptation to tailor the DNS protocol to
accommodate it. The community has said time and again not to do so -
not to treat that zone (and the others growing like it) as special
cases. I think turnabout is fair play - that we not restrict "com."
and the others from using what's in DNS protocol.
It is never appropriate to make wildcard assertions about names within a
zone if those assertions are not true. If all of the names in
foo.example.com zone will always be associated with address a.b.c.d,
it's reasonable to set up a wildcard A record for that zone. Otherwise
it is not reasonable. This is no less true for com or net than for
foo.example.com
COM and NET are supposed to reflect their respective registries - this
isn't itself a DNS protocol issue but part of the arrangement for
managing those zones. VeriSign is making assertions about names that
don't exist in the registries. (It also happens that those assertions
are disruptive to the operation of protocols when those protocols use
names in those zones, and that *is* a protocol issue)
Keith