[64340] in North American Network Operators' Group
Re: data request on Sitefinder
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Oct 20 17:12:24 2003
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Mon, 20 Oct 2003 16:31:45 EDT."
<20031020203145.51CFD7B43@berkshire.research.att.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 20 Oct 2003 17:09:58 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1765000652P
Content-Type: text/plain; charset=us-ascii
On Mon, 20 Oct 2003 16:31:45 EDT, "Steven M. Bellovin" <smb@research.att.com> said:
>
> A number of people havce responded that they don't want to be forced to
> pay for a change that will benefit Verisign. That's a policy issue I'm
> trying to avoid here. I'm looking for pure technical answers -- how
> much lead time do you need to make such changes safely?
OK, since you asked....
At least from where I am, the answer will depend *heavily* on whether Verisign
deploys something that an end-user program can *reliably* detect if it's been
fed a wildcard it didn't expect. Note that making a second lookup for '*.foo'
and comparing the two answers is specifically *NOT* acceptable due to the added
lookup latency (and to some extent, the attendant race conditions and failure
modes as well).
Also note that it has to be done in a manner that can be tested by an
application - there will be a *REAL* need for things like Sendmail to be
able to test for wildcards *without the assistance* of a patched local DNS.
And yes, this means the minimum lead time to deploy is 'amount of time to write
a "Wildcard Reply Bit" I-D, advance through IETF to some reasonable point on
standards track, and then upgrade DNS, end host resolvers, and applications'.
--==_Exmh_1765000652P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/lE8mcC3lWbTT17ARAsiYAKDnfmoSLR1iuigUqlSiKSvEPYkYKgCgmPhP
RILXsnWbwdK22Mxgi0WNUlM=
=58Eb
-----END PGP SIGNATURE-----
--==_Exmh_1765000652P--
