[96759] in North American Network Operators' Group
Re: Interesting new dns failures
daemon@ATHENA.MIT.EDU (David Ulevitch)
Thu May 24 03:02:04 2007
Date: Thu, 24 May 2007 00:01:03 -0700
From: David Ulevitch <davidu@everydns.net>
To: Douglas Otis <dotis@mail-abuse.org>
Cc: Gadi Evron <ge@linuxbox.org>,
"Chris L. Morrow" <christopher.morrow@verizonbusiness.com>,
nanog@merit.edu
In-Reply-To: <3BD51E67-9066-4413-9F35-60509E0D4976@mail-abuse.org>
Errors-To: owner-nanog@merit.edu
Douglas Otis wrote:
>
> On May 22, 2007, at 2:16 PM, Gadi Evron wrote:
>> On Tue, 22 May 2007, David Ulevitch wrote:
>>
>>> These questions, and more (but I'm biased to DNS), can be solved at
>>> the edge for those who want them. It's decentralized there. It's
>>> done the right way there. It's also doable in a safe and fail-open
>>> kind of way.
>>>
>>> This is what I'm talking about.
>>
>> Agreed.
>
> Gadi,
>
> What is the downside of a "preview" of zones being published by a
> TLD? Previews could be on a 12 or 24 hour cycle. This would enable
> defenses at the edge by disabling fast-flux outright. There could be
> exceptions, of course. When millions of domains are in rapid flux
> daily, few protective schemes are able to sustain or afford the
> dispersion of raw threat information. In addition, these raw updates
> arrive too late at that. A "preview" would not change how the core
> works, only how fast changes occur, while also dramatically reducing
> the amount data required for comprehensive protections at the edge.
>
> This would be a policy change at the core that enables defenses at the
> edge.
Lots of people already track newly added domains. Rick Wesson runs a
feed called Day old bread that is just such a feed.
Again, good idea, but doesn't belong in the core. If I register a
domain, it should be live immediately, not after some 5 day waiting
period. On the same token, if you want to track new domains and not
accept any email from me until my domain is 5 days old, go for it. Your
prerogative.
-david
>
> -Doug
>
