Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Root Server Operators (Re: What *are* they smoking?)

  • From: Jack Bates
  • Date: Wed Sep 17 12:43:46 2003 
Aaron Dewell wrote:


The point is, this makes a reasonable backup plan.  Far from ideal, but
we're dealing with a state-supported monopoly who can do whatever they
want.  Get this in place, then think about how to throw the monopolies
out.  This works in the meantime.  They will likely compromise this far,
even if they won't back down.
I'm thinking security for the long term. Even if com and net are returned to their non-wildcard states, there are other tld's which will continue using wildcards. Subject to a wildcard bit being implemented to DNS, my suggested method allows for optimum performance and functionality when DNS is being used as part of a security model.

The TTL is 15 minutes, so your hypothetical server would be throwing away
it's cache every 15 minutes.  Then re-querying everything.  You'd have to
have a _lot_ of outgoing email to justify that.
I don't know about you, but I don't want to cache bogus information for longer than 15 minutes. If someone sends random-string domains as the envelope from to my mail server, I want the cache to purge itself quickly. Yet, if they are sending the same bad address to my mail server repetitively, I want my cache to hold the record briefly; say 15 minutes. I'd hate to see a spammer issuing jlkfsjklfsj.com 5,000 times to my mail server in rapid succession and my recursor have to ask for it every time. On the other side, I would hate to cache 100,000 bogus domains for 1 day, wasting cache.

This solution still requires increased overhead, and more modifications
to BIND.  Which has more impact on your server, this BIND overhead, or one
additional query from your MTA?  My guess is the query is cheaper overall.
And you have to convince ISC to implement these changes, or write them
yourself, then you have the potential cost of an unstable nameserver.
Overall, I'd take the one addition query based on the compromise solution.
My mail server doesn't use a bind recursor, so I'll end up making the change myself for that particular system. However, a solution needs to be devised for the long term. The best solution is a wildcard bit. Second to that, smart recursors and resolvers that can detect the wildcard.

-Jack






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.