91.192/10 to be used for PI assignments to End Users
Dear Colleagues, At recent RIPE Meetings, we have reported a steady rise in requests from our members for Provider Independent (PI) address space for End User networks. We have reclaimed and recycled space from closed Local Internet Registries to meet this demand, but we are nearing the point where the available PI space will run out. In the past, we made PI assignments from former Class C space (193/8 and 194/7). Because of the increasing demand for PI space, we made sure that we would be able to use some of our most recent allocation of address space to meet future requests. We have designated 91.192/10 for PI assignments to End User networks. When the former Class C space is exhausted, we will start to make PI assignments from 91.192/10. We will let you know when this happens. We are announcing a pilot prefix using the RIS beacons, you may want to update any filters that you have in place. The RIS beacons are announcing the following networks: 91.192.0.0/24 91.192.0.0/16 You can ping 91.192.0.1. Full details of reachable IP addresses and tools are available on our web site at: http://www.ris.ripe.net/debogon/debogon.html Regards, -- leo vegoda Registration Services Manager RIPE NCC
On Mon, 2006-07-10 at 13:50 +0200, leo vegoda wrote:
Dear Colleagues,
At recent RIPE Meetings, we have reported a steady rise in requests from our members for Provider Independent (PI) address space for End User networks.
Any link to the slides which might contain the expected increase for the coming years? Especially the estimated number of routes that will newly be announced using BGP because of this would be something nice to see. Greets, Jeroen
Hi Jeroen, Jeroen Massar wrote:
On Mon, 2006-07-10 at 13:50 +0200, leo vegoda wrote:
Dear Colleagues,
At recent RIPE Meetings, we have reported a steady rise in requests from our members for Provider Independent (PI) address space for End User networks.
Any link to the slides which might contain the expected increase for the coming years? Especially the estimated number of routes that will newly be announced using BGP because of this would be something nice to see.
Slides from RIPE 52 are available here: http://www.ripe.net/ripe/meetings/ripe-52/presentations/ripe52-plenary-ripe_... We have not made a growth projection in these slides because we concentrate on reporting what has happened. Regards, -- leo vegoda Registration Services Manager RIPE NCC
It is not VeriSign this time. For those who have not yet seen this: http://www.opendns.com/ They will 'correct' your spelling mistakes for you. From their FAQ: -------------- Why is OpenDNS smarter? We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.If we're not sure what to do with an error, we provide search results for you to choose from. How does OpenDNS make money? OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages. OpenDNS will provide additional services on top of its enhanced DNS service. ---------------
On Jul 10, 2006, at 9:44 AM, Gerry Boudreaux wrote:
It is not VeriSign this time.
For those who have not yet seen this:
They will 'correct' your spelling mistakes for you.
From their FAQ: -------------- Why is OpenDNS smarter?
We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.If we're not sure what to do with an error, we provide search results for you to choose from.
How does OpenDNS make money?
OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages. OpenDNS will provide additional services on top of its enhanced DNS service.
This is nothing like Verisign's SiteFinder service. OpenDNS is a product a customer -chooses- to use. There really is no comparison. -- TTFN, patrick
Gerry Boudreaux wrote:
It is not VeriSign this time.
For those who have not yet seen this:
They will 'correct' your spelling mistakes for you.
I think the openDNS approach is far different from the Verisign sitefinder debacle if only for the important reason that using openDNS is voluntary and using sitefinder wasn't. Also, sitefinder created a wildcard DNS record where none existed before, breaking all kinds of applications in the process, openDNS doesn't do this. So at the end of the day, people are FREE to decide what resolvers to use and whoever comes along to offer their idea of "value adds" can go right ahead without borking the internet. Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this. -mark -- Mark Jeftovic <markjr@easydns.com> Founder & President, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(866) 273-2892
* markjr@easydns.com (Mark Jeftovic) [Mon 10 Jul 2006, 15:55 CEST]:
I think the openDNS approach is far different from the Verisign sitefinder debacle if only for the important reason that using openDNS is voluntary and using sitefinder wasn't.
Correct. OpenDNS is not abusing a monopoly position here.
Also, sitefinder created a wildcard DNS record where none existed before, breaking all kinds of applications in the process, openDNS doesn't do this.
Wrong. Asking their "big caching nameserver" for gibberish returns "IN A 208.67.219.40" instead of NXDOMAIN. Same breakage occurs, although they return NXDOMAIN instead of NOERROR when queried about MX or AAAA records, so ironically damage for IPv6-enabled applications is limited. They seem to be using Yahoo! as search engine there. 220 reject.opendns.com - OpenDNS Mail Rejection Service 1.2 (No mail accepted here) Remind you of anything - what was it called, chuck? It's already broken.
So at the end of the day, people are FREE to decide what resolvers to use and whoever comes along to offer their idea of "value adds" can go right ahead without borking the internet.
Several people have eloquently expressed why creating different views of a global namespace is a bad idea before on this mailing list.
Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this.
Have you switched your company over yet? Regards, -- Niels.
Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this.
Have you switched your company over yet?
yes, and the thing that pisses me off, is that it does seem faster. -rick
* wessorh@ar.com (Rick Wesson) [Mon 10 Jul 2006, 21:08 CEST]:
Personally I think openDNS is an idea whose time has come and that Dave Ulevitch and is crew are going to hit one out of the ballpark with this. Have you switched your company over yet? yes, and the thing that pisses me off, is that it does seem faster.
With 170ms to their resolvers I doubt it'll be much of an improvement for me... -- Niels.
Niels Bakker wrote:
Also, sitefinder created a wildcard DNS record where none existed before, breaking all kinds of applications in the process, openDNS doesn't do this.
Wrong. Asking their "big caching nameserver" for gibberish returns "IN A 208.67.219.40" instead of NXDOMAIN. Same breakage occurs, although they return NXDOMAIN instead of NOERROR when queried about MX or AAAA records, so ironically damage for IPv6-enabled applications is limited.
I stand corrected, however this is not as big a deal as when sitefinder did it because as we've both observed, this is voluntary. If using this breaks your application, don't have your application use it, with sitefinder you didn't have the choice. For it's target market: end user DNS resolution, the side effects will be minimal if anything.
Several people have eloquently expressed why creating different views of a global namespace is a bad idea before on this mailing list.
I don't consider this a different view of the global namespace. If they decide to add ORSC root glue or New.net domains then it'll be a different view of the global namespace. Hopefully they wouldn't be that reckless.
Have you switched your company over yet?
They way we run our applications doesn't lend itself to using it (it's that choice thing again), but I've got a few workstations using it and one of my laptops. It's also a handy offsite resolver to use to check DNS settings from outside our own cloud. We also get asked our members if there is a viable resolver they can use and we'll be happy to recommend this. -mark -- Mark Jeftovic <markjr@easydns.com> Founder & President, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(866) 273-2892
I'll demur --- I don't much like it, for several reasons. The first is that it *does* present a different view of the One True Tree. I've been saying for years -- among other things, in the context of Sitefinder, alternate roots, and other things -- that the DNS was designed under the assumption that there's one namespace. Anything that presents different results will result in confusion. The second is the precedent that's set -- who gets to decide what zones are excluded from the tree? OpenDNS? Sure -- and to whom do they listen? Are any sites to be ruled out on political grounds? Ideological? Not today, sure, and (I assume) not by OpenDNS -- but what if some misguided legislature passes some law? Bear in mind that *by U.S. law*, libraries that receive federal funding *must* install certain kinds of filters. The third is that not all the world is a web site. I send email, do IM, ftp, ssh, SIP, imaps, pop3s, and assorted other weird protocols. (I'm having trouble doing SIP from my hotel tonight. I wonder if that's a coincidence. The server worked just fine from the IETF venue a few hours ago.) OpenDNS, like Sitefinder before it, is optimized for web users. A fourth is that most consumers don't have a realistic choice; they use whatever DNS server their ISP gives them. Furthermore, they have little choice of ISP. In the U.S., people are lucky if they have two choices, DSL from the local monopoly telco or cable modem service from the local monopoly cable TV company. You might not like the service; you may get it anyway. (Yes, I read their instructions how individuals can start using the service. I frankly don't believe that that will happen at a large enough scale to make a viable business.) This doesn't apply, of course, to corporate decisions regarding the employee experience, but that doesn't strike me as the market this is aimed at. (Their privacy policy appears decent, but I couldn't tell if they build up user profiles which they use for their ads. The Privacy Policy didn't seem to say, one way or another; the Terms of Service requires accurate registration instructions, which is sometimes done for profile-based advertising. I can't tell, nor do I know what they can or can't "look our mothers in the eye about", to use their phrase.) Fifth, the service doesn't work properly in the presence of DNSsec. They can't return proper NXT records, nor can they realistically sign their own responses except for certain *very* common typos. Yes, this is better than Sitefinder, because it's not forced on the entire Internet. However, it shares many of the same flaws.
On Jul 10, 2006, at 11:40 PM, Steven M. Bellovin wrote:
I'll demur --- I don't much like it, for several reasons.
[SNIP - several good points.]
Yes, this is better than Sitefinder, because it's not forced on the entire Internet. However, it shares many of the same flaws.
I'm not going to use the service either, but for different reasons than you state. And it does have "many of the same flaws" as Sitefinder. But Sitefinder had only one fatal flaw: The Lack Of Choice. Obviously that flaw is not shared. Of course, everyone should feel free to espouse their opinions on the service, and use it or not, and try to persuade others to use it or not. But just like any other service, software, protocol, or other _optional_ choice in running your network (or home computer), we will just have to let the market decide. Chances are, there's enough Internet to go around for everyone, whether they use the service or not. -- TTFN, patrick
Patrick writes:
I'm not going to use the service either, but for different reasons than you state. And it does have "many of the same flaws" as Sitefinder.
Yes, it does. However, many of those flaws revolve around servers being forced to opt in to the (original) Sitefinder; it should be clear that you do not want servers participating in this, and you have the option to make it so. Regardless, this may create some operational challenges - both for client sites and for OpenDNS. I note with some amusement that their home page says "22,340,882 DNS requests", which is a trivial number of requests. Obviously anycast will help the service scale in the traditional manner, but depending on the amount of "smart" they're trying to do, they could be adding a lot of work to the process of handling errors (fortunately they seem to be doing nothing significant at the DNS level). I think of the sheer volume of bogus traffic at the roots, for example. Client sites with dedicated recursers are going to be presented with a challenge: if their servers use the recursers, then will they set up a parallel set of caching forwarding recursers for desktop-to-OpenDNS use, or will they simply let OpenDNS be their default resolver for desktops? (etc) What happens if/when OpenDNS gets too busy, or fails, or goes TU? DNS was designed to be a distributed network for name resolution. The whole concept of OpenDNS, while clever, seems to violate - at least somewhat - the spirit behind DNS. Taken to the extreme, every desktop on the planet would be pointed to their servers, and at that point, we essentially have something resembling a centralized host file database server. We'll effectively have eliminated the distributed caching recurser network, and be left only with the authoritative server tree, which would be better integrated into OpenDNS too at that point. Of course, we're not likely to see anywhere near 100% penetration of OpenDNS...
But Sitefinder had only one fatal flaw: The Lack Of Choice.
Obviously that flaw is not shared.
It is merely replaced with another (others?). I believe Paul Vixie was just recently reminding people about DNS coherence in the thread "DNS Based Load Balancers", and I expected to see that objection show up here right away. I have not been convinced that coherence is a property that *must* be maintained within the DNS, though I see certain portions that must obviously remain coherent. I've written DNS based load balancers in the past, which worked very successfully for their intended application, so my views may be mildly slanted. I would be curious to know exactly how invasive this is into the system, and what sorts of things are done. I did do some poking at their resolver with some queries, and here's what I noticed. Name: www.sol.net Address: 206.55.64.128 Name: www.sol.nte Address: 208.67.219.40 okay, that makes sense
www.<someofflinedomain>.com. *** Request to resolver1.opendns.com timed-out
okay, that's fine (domain has inaccessible NS's) but this: Name: doesnotexist.sol.net Address: 208.67.219.40 bothers me. It almost looks like their "magic technology" was to take nonexistent results and replace them with their web redirector. I don't *think* the original Sitefinder behaved like that for delegated domains, though I really cannot recall the exact effect of a wildcard in this case. There are still numerous security risks associated with losing final control over your namespace, and there is also the attractiveness factor for crackers - it'd be a really scary thing to have a lot of people using this and then have a cache entry for a major bank get corrupted or inserted maliciously.
Of course, everyone should feel free to espouse their opinions on the service, and use it or not, and try to persuade others to use it or not. But just like any other service, software, protocol, or other _optional_ choice in running your network (or home computer), we will just have to let the market decide. Chances are, there's enough Internet to go around for everyone, whether they use the service or not.
Well, it may not be perfect, but it is at least a "Sitefinder done (more) right" than the last spectacle. I have my reservations. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Tuesday 11 Jul 2006 13:40, you wrote:
Client sites with dedicated recursers are going to be presented with a challenge: if their servers use the recursers, then will they set up a parallel set of caching forwarding recursers for desktop-to-OpenDNS use, or will they simply let OpenDNS be their default resolver for desktops? (etc) What happens if/when OpenDNS gets too busy, or fails, or goes TU?
Fortunately BIND does a "forward first" option. But of course then the view of the DNS will change when the remote servers are busy :( A bigger issue I haven't thought through is the site encourages forwarding, which is notorious in the DNS world for causing poisoning issues. Although presumably if their DNS implementation itself is perfect, that may not raise issues, it makes me nervous.
I have not been convinced that coherence is a property that *must* be maintained within the DNS, though I see certain portions that must obviously remain coherent.
But can you define a mechanical rule to identify if an A record belongs to the set of A records that must remain coherent, so that they never get modified by such a scheme? The advantage of things like relay block lists is the effect is limited in scope -- I won't talk to that email server because -- and the errors and conditions that result are small, but as soon as you return an "untrue" answer for an A record you have no way of knowing how much of the Internet you just lost name resolution from, because you can't know for sure that it isn't the delegated name server for an important domain. Sure this may reflect bad design decision in the DNS from olden days, but it is the reality of the Internet that servers with names like "hippo.ru.ac.za" play a crucially important role, and unless you happen to know what that role is, you can't assess the importance of that A record (okay that one was an easy one).
* Steven M. Bellovin:
The second is the precedent that's set -- who gets to decide what zones are excluded from the tree? OpenDNS? Sure -- and to whom do they listen? Are any sites to be ruled out on political grounds? Ideological? Not today, sure, and (I assume) not by OpenDNS -- but what if some misguided legislature passes some law?
And how is real DNS any different? Even in Western democracies, ISPs can be forced to suppress zones on their resolvers. There are profound privacy issues with centralized, opt-in DNS resolvers, but they can probably be resolved satisfactorily. But I'm definitely the wrong guy to argue in favor of DNS-related privacy (although I try very hard to make it impossible to link DNS queries and responses to particular users). Apart from that, I hope that services like this one (coupled with tactical null routes) becomes more important to consumers. More competition on network-based security measures will help to protect them from (technically) harmful content. In some collapsed consmer markets, it might enable ISPs to charge extra fees and compete on these additional services, avoiding a complete meltdown of the market and a return to an oligopoly.
SMB> Date: Mon, 10 Jul 2006 23:40:02 -0400 SMB> From: Steven M. Bellovin [ snipping points to which I'm not responding ] SMB> The third is that not all the world is a web site. Indeed, different apps have different requirements. SRV-ish granularity would be useful. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Gerry Boudreaux <gerry@tape.net> writes:
It is not VeriSign this time.
It is not even remotely the same as SiteFinder either. It requires people to make a conscious decision to use different nameservers than the ones they're currently using, and is likely to get the same or less level of traction as the alternative roots have. Since it's completely opt-in, people can feel free to ignore it, as I shall. Sure would have been nice to be able to simply ignore Sitefinder.
For those who have not yet seen this:
They will 'correct' your spelling mistakes for you.
yawn. ---rob
On Jul 10, 2006, at 6:44 AM, Gerry Boudreaux wrote:
For those who have not yet seen this: http://www.opendns.com/ They will 'correct' your spelling mistakes for you.
I'm happy to answer any and all questions off-list but I want to point out one aspect that hasn't quite been messaged correctly. A big point being missed is the addition of "if you want." We have written this as a recursive dns service that can do different things to different IPs. You quote from our FAQ but you leave out the cluefull parts of the FAQ so this is one that's important:
How do I turn off phishing protection or typo correction?
If you want to use OpenDNS but do not want phishing protection and/ or typo correction, you may ask us to disable that protection for you. Currently, setting these preferences requires an OpenDNS team member. In the future, you may manage this preference yourself, if registered. Registration will be free, and not required to use the service. This preference will be offered first for members with a static IP address, and then for those with dynamic IP addresses.
So if you want standard NXDOMAIN, that's fine. Happy to do it. Different strokes for different folks. That's the whole idea. We're not new at this, or looking to make a quick buck by annoying you with ads. I recommend giving it a try and letting me know your thoughts. The idea of both building an intelligent recursive dns server and a recursive DNS service are both a long time in the making and make a lot of sense. Perhaps we can work on our messaging to more technical audiences. :-) Best, David Ulevitch
From their FAQ: -------------- Why is OpenDNS smarter?
We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.If we're not sure what to do with an error, we provide search results for you to choose from.
How does OpenDNS make money?
OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages. OpenDNS will provide additional services on top of its enhanced DNS service. ---------------
On Jul 10, 2006, at 10:47 AM, David Ulevitch wrote:
On Jul 10, 2006, at 6:44 AM, Gerry Boudreaux wrote:
For those who have not yet seen this: http://www.opendns.com/ They will 'correct' your spelling mistakes for you.
I'm happy to answer any and all questions off-list but I want to point out one aspect that hasn't quite been messaged correctly. A big point being missed is the addition of "if you want."
We have written this as a recursive dns service that can do different things to different IPs. You quote from our FAQ but you leave out the cluefull parts of the FAQ so this is one that's important:
How do I turn off phishing protection or typo correction?
If you want to use OpenDNS but do not want phishing protection and/or typo correction, you may ask us to disable that protection for you. Currently, setting these preferences requires an OpenDNS team member. In the future, you may manage this preference yourself, if registered. Registration will be free, and not required to use the service. This preference will be offered first for members with a static IP address, and then for those with dynamic IP addresses.
So if you want standard NXDOMAIN, that's fine. Happy to do it. Different strokes for different folks. That's the whole idea.
We're not new at this, or looking to make a quick buck by annoying you with ads. I recommend giving it a try and letting me know your thoughts. The idea of both building an intelligent recursive dns server and a recursive DNS service are both a long time in the making and make a lot of sense. Perhaps we can work on our messaging to more technical audiences. :-)
Best, David Ulevitch
I stand corrected. After reading further, it does appear to provide a useful service that many will find meets/exceeds their needs.. Thanks
Gerry, I sat on the Security and Stability committee for ICANN and was part of the folks that reviewed SiteFinder. OpenDNS is not SiteFinder; Give them a try, the DNS resolution is blazing fast and they do fix up the most common typos. One thing massively different between openDNS and SiteFinder is that you have choice -- the choice to use them. IMHO many will choose to use OpenDNS because it is fast and can offer protections you just can't get from running your own resolver. best, -rick Gerry Boudreaux wrote:
It is not VeriSign this time.
For those who have not yet seen this:
They will 'correct' your spelling mistakes for you.
From their FAQ: -------------- Why is OpenDNS smarter?
We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.If we're not sure what to do with an error, we provide search results for you to choose from.
How does OpenDNS make money?
OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages. OpenDNS will provide additional services on top of its enhanced DNS service. ---------------
On Mon, Jul 10, 2006 at 09:06:20AM -0700, Rick Wesson <wessorh@ar.com> wrote a message of 49 lines which said:
OpenDNS is not SiteFinder; Give them a try, the DNS resolution is blazing fast
For the typical NANOGer, yes, but remember that the Internet is larger than that. From France, the RTT is very poor (more than 200 ms), whatever the speed of their application.
On Mon, 10 Jul 2006, Gerry Boudreaux wrote:
It is not VeriSign this time.
For those who have not yet seen this:
They will 'correct' your spelling mistakes for you.
hurrah :( cause obviously everything in the world using dns is a browser? :( As a note, some other folks do this as well: www.paxfire.com nominum perhaps as well? :( Seems really, really dumb to me, since everything is NOT (surprised?) a web browser :( I wonder what happens when it tries to correct my enum dns requests? Be cautious that some largish provider's dns cache's might be doing this as well 'soon' despite engineering folks saying 'gosh that seems like a very poor plan...' :( 'fun'!
Christopher L. Morrow wrote:
:( Seems really, really dumb to me, since everything is NOT (surprised?) a web browser :( I wonder what happens when it tries to correct my enum dns requests? Be cautious that some largish provider's dns cache's might be doing this as well 'soon' despite engineering folks saying 'gosh that seems like a very poor plan...' :(
'fun'!
All of the arguments I've heard against this idea today apply well and good to the context of a sitefinder, but the simple fact that this is an application oriented enhancement to DNS resolvers fall on deaf ears. David has already responded that people can configure their resolver service to return NXDOMAINs instead and nobody here has acknowledged it. The more I see people laugh at this, the more I'm convinced this idea has legs. (and if anybody is wondering, I have no affiliation with it.) I just see a lot of the grief caused by phishers, and alot of the spam crap sites clogging the net and it's nice to see somebody taking a fresh approach, doing something about it and adding another avenue of mitigation to the equation. -mark (P.S. One of the reasons I'm behind this so much is because David has been a long time participant in the DNSbl.org project and I know he's a "white hat" DNS guy trying to fight the good fight, so when I look at this project, I see Dave's track record behind it.) -- Mark Jeftovic <markjr@easydns.com> Founder & President, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(866) 273-2892
(Note that I've not examined OpenDNS's offering, so I'm _not_ pretending to comment on what they do.) Let's quit looking at overly-simplistic correction mechanisms. Do spell checkers force autocorrection with only a single choice per misspelled word? Return an A RR that points <correction service>-controlled system. Said system examines HTTP "Host" header, then returns a page listing multiple possibilities. "The site you specified does not exist. Here is a list of sites that you may be trying to access: ..." I'm generally ignoring other protocols to limit the discussion scope. However, one can see how SMTP and FTP might be similarly handled. (IMHO not as good as a SRV-ish system that could return NXDOMAIN per service, but actually somewhat usable today.) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Edward B. DREGER wrote:
I'm generally ignoring other protocols to limit the discussion scope. However, one can see how SMTP and FTP might be similarly handled. (IMHO not as good as a SRV-ish system that could return NXDOMAIN per service, but actually somewhat usable today.)
No, you should not. The other iportant things that come into my mind are mail ---- My thunderbird does use dns, looking for MX records mostly. For me it is the most important application. phone ----- Either VoIP or Skype they both need dns, looking for NAPTR? The box is hardware. It does not run windows and it has its own resolver onboard. dns --- Some resolvers do not use forwarders. They know whom to query. They will get a hickup if somebody is returning them the wrong ip address for a nameserver (agreed, if you use e.g. djbdns you most likely will not use OpenDNS in the first place) -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Thus spake "Edward B. DREGER" <eddy+public+spam@noc.everquick.net>
(Note that I've not examined OpenDNS's offering, so I'm _not_ pretending to comment on what they do.)
Let's quit looking at overly-simplistic correction mechanisms. Do spell checkers force autocorrection with only a single choice per misspelled word?
Ever used Word or Outlook? They annoyingly "fix" words as you type without offering multiple choices or even alerting the user that they're doing it. I've learned to re-read what I write several times now because I've been burned too many times by jargon being "corrected" to unrelated "real" words -- but I type "teh" and similar things often enough I can't afford to turn the feature off. (And my employer requires me to use those apps, so all you anti-MS folks please sit back down) OpenDNS's typo-fixing service can supposedly be turned off, but I don't see how that would work when you have multiple users behind a NAT or a recursive server. There also may be hidden problems if an ISP pushes all of their users onto this service and the users have no clue they've been "opted in" or how to opt back out (and we all know how well "opt out" systems work for email in general).
Return an A RR that points <correction service>-controlled system. Said system examines HTTP "Host" header, then returns a page listing multiple possibilities.
"The site you specified does not exist. Here is a list of sites that you may be trying to access: ..."
And that solves most of my objections, at least for HTTP. It still breaks a lot of other protocols.
I'm generally ignoring other protocols to limit the discussion scope. However, one can see how SMTP and FTP might be similarly handled. (IMHO not as good as a SRV-ish system that could return NXDOMAIN per service, but actually somewhat usable today.)
If web browsers consulted SRV records instead of blindly connecting to the A, that would appear to solve everything: NXDOMAIN for the A but the HTTP SRV could point to the typo-correction server. I'd not be inclined to argue with such a setup, but it requires a refresh of every browser out there, so it's not realistic. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
participants (18)
-
Christopher L. Morrow
-
David Ulevitch
-
Edward B. DREGER
-
Florian Weimer
-
Gerry Boudreaux
-
Jeroen Massar
-
Joe Greco
-
leo vegoda
-
Mark Jeftovic
-
Niels Bakker
-
Patrick W. Gilmore
-
Peter Dambier
-
Rick Wesson
-
Robert E.Seastrom
-
Simon Waters
-
Stephane Bortzmeyer
-
Stephen Sprunk
-
Steven M. Bellovin