On Sun, 1 Apr 2007, Paul Vixie wrote:
I've got no heartburn about deploying these technologies at a customer level, but my experience with both BIND's "check-names" facilty and VeriSign's sitefinder wildcard (*.COM) have taught me that it's best to creatively rulebreak at the edge, and keep the core pristine. I helped Dave build ICSS and I know that customers of that technology could easily white-out domains used for Gadi's 0-day and that it would be a good thing for them to do so.
The problem that I think you fear is that DNS is 'basic plumbing' (the ICANN-SSAC had some term like this, which sticks in my head as 'basic plumbing'...) and that messing with it where there is low confidence of knowing WHY it's being used is not smart, or hazardous, or probably going to cause larger problems. On this I too agree, unless you can clearly scope your userbase and clearly be accountable for the problems that may arise, messing with basic plumbing is a bad, bad plan. The 'dns core' could be 'provider recursive servers' or 'TLD servers' or 'root servers' or some combination of these. As you move closer to the 'core' the userbase gets wider and more varied, their intent is not divinable in their requests and there's likely a higher chance you'll be doing something 'wrong' with their request if you dont' stick to the 'standards compliant' answer.
But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than "this week" to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution.
Right, ICSS should be used (in your example) as close to the 'edge' as possible... or that's the intent of it, right? Let enterprise folks use these things, they have attentive helpdesk/admin folks to unscrew what the changes in basic plumbing have screwed up :)