Gadi Evron wrote:
People are suggesting it become the rule because nobody is trying anything else.
I was with you up to this sentence. Obviously avoiding the core is key, but should we not have the capability of preventing abuse in the core rather than mitigating it there? Allowing NS changes with no other verification or limitation is silly imo, but I am unsure if it is relevant as a solution? And who is nobody and why doesn't he try something else? That is a bit insulting to nobody. :)
Putting that aside, what do you think nobody should try at the edge?
People should try putting the intelligence that we have into software and hardware. Why can't we put Gadi into an edge device? I say this tongue-in-cheek, but am a bit serious. You (Gadi) are very good at looking at interesting trends and more than saying it's a problem, you are able to come up with a report like the botnet rat-out reports. We know who the C&C's are. We know who the compromised drones are. We know all of this. Today. But very few people (okay, not nobody) are saying, "Hey, why should I allow that compromised windows box that has never sent me an MX request before all of the sudden be able to request 10,000 MX records across my resolvers?" "Why am I resolving a domain name that was just added into the DNS an hour ago but has already changed NS servers 50 times?" These questions, and more (but I'm biased to DNS), can be solved at the edge for those who want them. It's decentralized there. It's done the right way there. It's also doable in a safe and fail-open kind of way. This is what I'm talking about.
After all, nobody's security being affected by the edge of some end-user machine on the other side of the world is irrelevant to my edge security. FUSSP.
DNS abuse is mostly not an edge issue.
I disagree. DNS is the enabler for many many issues which are edge issues. (Botnets, spam, etc) -David Ulevitch
Gadi.
-David Ulevitch