[62312] in North American Network Operators' Group
Re: Change to .com/.net behavior
daemon@ATHENA.MIT.EDU (Paul Vixie)
Wed Sep 17 13:57:34 2003
From: Paul Vixie <paul@vix.com>
To: nanog@merit.edu
In-Reply-To: Message from "David Schwartz" <davids@webmaster.com>
of "Wed, 17 Sep 2003 10:50:38 MST."
<MDEHLPKNGKAHNMBLJOLKCENBGJAA.davids@webmaster.com>
Date: Wed, 17 Sep 2003 17:55:32 +0000
Errors-To: owner-nanog-outgoing@merit.edu
> > ... shouldn't they get to decide this for themselves?
>
> Returning NXDOMAIN when a domain does not exist is a basic
> requirement. Failure to do so creates security problems. It is
> reasonable to require your customers to fix known breakage that
> creates security problems.
that sounds pretty thin. i think you stretched your reasoning too far.
> VeriSign has a public trust to provide accurate domain
> information for the COM and NET zones. They have decided to put their
> financial interest in obscuring this information ahead of their public
> trust.
i'm not sure how many people inside verisign, us-DoC, and icann agree
that COM and NET are a public trust, or that verisign is just a caretaker.
but, given that this is in some dispute, it again seems that your customers
should decide for themselves which side of the dispute they weigh in on.
> Microsoft, for example, specifically designed IE to behave in a
> particular way when an unregistered domain was entered. Verisigns
> wildcard record is explicitly intended to break this detection. The
> wildcard only works if software does not treat it as if the domain
> wasn't registered even though it is not.
then microsoft should act. and if it matters to you then you should act.
but this is not sufficient justification to warrant a demand by you of your
customers that they install a patch (what if they don't run bind?) or that
they configure delegation-only for particular tld's (which ones and why not
others?)
> Verisign has created a business out of fooling software through
> failure to return a 'no such domain' indication when there is no such
> domain, in breach of their public trust. As much as Verisign was
> obligated not to do this, others are obligated not to propogate the
> breakage. ISPs operate DNS servers for their customers just as
> Verisign operates the COM and NET domains for the public.
the obligations you're speaking of are much less clear than you're saying.
