* Paul Vixie:
since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often.
Well, once more people learn about DLV (especially the NS override extension that has been requested by zone operators), more and more questions will pop up why we can't do this for NS records they don't like for some reason. The genie is out of the bottle, I'm afraid.
in practical terms, and i've said this to you before, you'll get as much traction by getting people to switch from windows to linux as you'd get by trying to poison dns. that is, neither solution would be anything close to universal. that rules it out as an "alternative we can use today".
The legal details for operating and using a lookaside zone are rather interesting, which strongly suggests that this isn't a solution that can be rolled out in a reasonable time frame. On the more technical side, some very large operators have mostly out-sourced their DNS operation, so they can't easily deploy an upgrade from ISC even if it were available today.
at the other end, authority servers which means registries and registrars ought, as you've oft said, be more responsible about ripping down domains used by bad people. whether phish, malware, whatever. what we need is some kind of public shaming mechanism, a registrar wall of sheep if you will, to put some business pressure on the companies who enable this kind of evil.
I fear that many registrars make most of their money with trademark violations of their customers. If that is indeed true, showing any sign of responsibility could be suicidal.