ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Fwd: [Asrg] Verisign: All Your ...

2003-09-16 15:07:46
from [Sabharwal, Atul] [Permanent Link] 
Are there just a couple of DNS server(s) per ISP?  Do they run VPN's to
sync up with the central DNS servers so that DNS spoofing is limited &
DNS synchronization encrypted?

Should be an easy solution for DNS spoofing except for public IP
addresses which home users get.  Again, they would be registered, so
spoofing them would be difficult?

--
Atul

P.S: The opinions are my opinion and my responsibility.

-----Original Message-----
From: Edward Lewis [mailto:edlewis(_at_)arin(_dot_)net] 
Sent: Tuesday, September 16, 2003 11:19 AM
To: ietf(_at_)ietf(_dot_)org
Cc: Edward Lewis
Subject: Re: [Fwd: [Asrg] Verisign: All Your ...

At 13:12 -0400 9/16/03, Keith Moore wrote:

I strongly disagree.  The DNS is the ultimate authority on whether a
domain exists, since the way you create a domain is by making an entry
in the DNS.    Making existence of a domain depend on a separate
registry makes no sense and is inconsistent with longstanding practice.


DNS is the ultimate authority on whether there is an DNS answer to a 
DNS query, but that's about it.  What a DNS server answers is based 
on what is in the registry it represents.

To quote what I wrote on the provreg list in
    http://www.cafax.se/ietf-provreg/maillist/2001-09/msg00164.html:

"DNS names [...] are limited to 255 octets, which is about 2K bits, 
and 2^2k possibilities minus special cases.  Boom - all names exist."

The point is, before saying that DNS makes any statement about 
"existence" you need to define "exists for what purpose."  In the 
message above, it was "exists so that I can't register it."  In the 
wcard clarify draft in DNSEXT, it's "exists for the purposes of 
ruling out synthesis of the answer."


that's not the same thing at all.  DNS is not the authority for whether
a device is connected to the net.  DNS is the authority on whether a

DNS

name exists.


In engineering the DNS, "com." has been and still is a peculiar case 
and there has been the temptation to tailor the DNS protocol to 
accommodate it.  The community has said time and again not to do so - 
not to treat that zone (and the others growing like it) as special 
cases.  I think turnabout is fair play - that we not restrict "com." 
and the others from using what's in DNS protocol.

I'm neither endorsing nor criticizing what has been added to "com." 
and "net."  Let's just be fair, accurate, and on-topic (like, 
protocols) in the discussion.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                            +1-703-227-9854
ARIN Research Engineer

Sponge Bob Square Pants?  I'm still trying to figure out the Macarena.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Stupid DNS tricks, Masataka Ohta
Next by Date:  Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us], Paul Vixie
Previous by Thread:  typo wildcard I-D, Zefram
Next by Thread:  Re: [Fwd: [Asrg] Verisign: All Your ..., Peter Sylvester
Indexes:  [Date] [Thread] [Top] [All Lists]