North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: On-going Internet Emergency and Domain Names
> ... > Back to reality and 2007: > In this case, we speak of a problem with DNS, not sendmail, and not bind. > > As to blacklisting, it's not my favorite solution but rather a limited > alternative I also saw you mention on occasion. What alternatives do you > offer which we can use today? on any given day, there's always something broken somewhere. in dns, there's always something broken everywhere. since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often. in practical terms, and i've said this to you before, you'll get as much traction by getting people to switch from windows to linux as you'd get by trying to poison dns. that is, neither solution would be anything close to universal. that rules it out as an "alternative we can use today". but, isp's responsible for large broadband populations could do this in their recursion farms, and no doubt they will contact their dns vendors to find a way. BIND9, sadly, does not make this easy. i'll make sure that poison at scale makes the BIND10 feature list, since clustering is already coming. at the other end, authority servers which means registries and registrars ought, as you've oft said, be more responsible about ripping down domains used by bad people. whether phish, malware, whatever. what we need is some kind of public shaming mechanism, a registrar wall of sheep if you will, to put some business pressure on the companies who enable this kind of evil. fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible.