Most of this is becoming tedious and circular. Different people are
posting the same canards. But I don't want people to go away with the
impression that I didn't use precise language to explain things. E.g
"domain names" in place of "domains", or "registry of domain names" in
place of "registry".
On Wed, 24 Sep 2003, Laird, James wrote:
Dean wrote:
The fact still remains that DNS entries do not necessarilly imply
registration, and that the DNS protocol cannot be used to make registry
queries.
This is getting so far from the topic it's not funny.
Do any of the systems broken by Verisign try and do REGISTRY queries through
DNS? No. So how is this relevant AT ALL to what Verisign have done?
The broken systems attempt to abuse DNS _protocol_ queries to attempt to
find out whether a domain name exists in a "registry of domain names".
DNS protocol cannot be used to make such checks.
The correct way to do this is through registry queries. The question of
whether a doamin name accepts email for a particular email address cannot
be answered through DNS protocol queries.
The broken systems are not broken by Verisign. They are broken by the fact
that they depend on false assumptions about what DNS protocol can reveal
about a registry of domain names.
You also keep saying how Verisign are operating completely within the
DNS protocol. Yes, they are.
Good. We agree on that.
But so are programs that use DNS lookup to determine the existence of
the domain!
No, you cannot use DNS protocol queries to determine the existance or
registration of a domain name in a registry of domain names.
(not its registered status - that is IRRELEVANT to a user
program, hadn't you noticed?) The protocol specifies NXDOMAIN for this
very reason.
When you get an NXDOMAIN DNS protocol reply, the DNS protocol (RFC 1034,
etc) defines a specific meaning. But when you don't get NXDOMAIN, there is
no meaning to be implied. This is a fact due to the inclusion of wildcard
records in the DNS protocol. It is true of all queries, to which there may
be a wildcard response. That is to say, it is true of all queries.
What the abusers demand is that wildcards be removed, and NXDOMAIN be
required as the response. This is a DNS protocol change that has not been
approved by any DNS working group, nor by any proper IETF decision
process. Because the abusers know they will not succeed using proper
procedures, they are trying improper procedures, such as altering software
and organizing illegal boycotts, and illegal tampering with electronic
communications.
This (obviously enough) can lead to conflicts - this is
where external guidelines come in to ensure compatibility. Now, in this
case there were none. So the IAB came up with some: don't play with
wildcards!
This IAB hasn't come up with anything, except a poorly written
"commentary", full of false statements and hyperbole, and almost
completely devoid of facts one expects from an engineering group.