[95815] in North American Network Operators' Group
Re: On-going Internet Emergency and Domain Names
daemon@ATHENA.MIT.EDU (David Ulevitch)
Wed Apr 4 14:59:02 2007
Date: Wed, 04 Apr 2007 11:58:04 -0700
From: David Ulevitch <davidu@everydns.net>
To: Paul Vixie <paul@vix.com>
Cc: nanog@merit.edu
In-Reply-To: <86950.1175358024@sa.vix.com>
Errors-To: owner-nanog@merit.edu
Paul Vixie wrote:
>> ...
>> Back to reality and 2007:
>> In this case, we speak of a problem with DNS, not sendmail, and not bind.
>>
>> As to blacklisting, it's not my favorite solution but rather a limited
>> alternative I also saw you mention on occasion. What alternatives do you
>> offer which we can use today?
>
> on any given day, there's always something broken somewhere.
>
> in dns, there's always something broken everywhere.
>
> since malware isn't breaking dns, and since dns not a vector per se, the
> idea of changing dns in any way to try to control malware strikes me as
> a way to get dns to be broken in more places more often.
I'd say it's a way to get DNS to be more inconsistent and it's likely to
happen. Broken is both in the eye of the beholder and in the eye of the
end-user.
> but, isp's responsible for large broadband populations could do this in their
> recursion farms
That's right. And it will perpetuate the arms race of whitehats vs.
blackhats. But that's no reason not to add intelligence into the DNS --
either in-band or out-of-band. Most of us already do some level of DNS
intelligence out-of-band (passive dns, uribls, etc) and the power of
doing it in-band is a logical next step.
> fundamentally, this isn't a dns technical problem, and using dns technology
> to solve it will either not work or set a dangerous precedent. and since
> the data is authentic, some day, dnssec will make this kind of poison
> impossible.
Unfortunately, that day, if it ever comes, will come after bot herders
stop using DNS to manage their botnets because other mitigation
strategies will have already forced them to move on.
-David