Paul Vixie wrote:
on any given day, there's always something broken somewhere.
in dns, there's always something broken everywhere.
The catch-phrases you come up with are delightful. Catchy and deeply useful. Would that more folk would take them to heart, for their implications.
since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often.
Although there are times to consider pursuing an ugly-but-expeditious path, you've made the point that the effects are long-term, while the symptoms might only be short-term. Given the complexity of the abuse space, it's worth thinking in terms of basic benefit in the change, while using the immediate situation merely as a motivator: Is the change something that makes sense on its own, independent of the current abuse manifestation? If so, then go ahead and do it. If not, the odds are high that it will only be part of a process of adding warts to warts.
fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible.
I was sitting at a bar, one Saturday, many years ago. Behind the bartender was a sign that said "Free beer tomorrow". We were in an alcohol-paranoid state, so I asked the bartender about the sign, since I knew they'd be closed on Sunday. His comment was that tomorrow never comes. Someday, indeed. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net