I work for a big French ISP and I manage the DNS architecture (based on Linux+Bind); Golog proposed to our society the DNS redirect service (redirect all the not existant domains according to marketing criteria). Even if our marketing team would like to join this solution, our technical team opposes hardly to such a not-standard implementation of the DNS. Can you suggest me any objective reason in order to invalidate this proposal? Regards Luke
On Thursday 19 Oct 2006 13:50, you wrote:
Can you suggest me any objective reason in order to invalidate this proposal?
Been done to death here before, assuming it is the same sort of DNS hack as the others. Basically if you can guarantee that all DNS servers are used exclusively for browsing then it probably won't generate much of a problem (maybe complaints but not that many technical problems). If your clients use DNS for SMTP (or possibly other stuff but SMTP will do), then a wildcard breaks a lot of things. You can demonstrate if clients used DNS in such a fashion, dump the database, and look for common DNS BL for spam filtering. If that data is in your cache, at least one of your clients email systems will likely break with this change. Stefan blogged this in response to previous discussion here; http://blog.zaphods.net/articles/2006/07/17/re-sitefinder-ii-the-sequel Of course it is a business decision, upsetting lots of customers, and losing a lot of email, breaking common Internet assumptions may be a good business decision if the customers left generate you enough revenue. But I would be cautious myself. Wildcard DNS can make troubleshooting a problem due to a mistyped name a real pain. I know I've had that pain, what with ssh claiming that the key had changed, and all sorts of weirdness I didn't need when the pager went off in the small hours, because I types a name wrong, and got a server I wasn't expecting.
On Thu, 19 Oct 2006 14:50:37 +0200, Luke Besson said:
Can you suggest me any objective reason in order to invalidate this proposal?
Others have pointed out that wildcarding *might* work when done to consenting HTTP traffic. It certainly doesn't work very well if applied to non-consenting HTTP, or non-HTTP. On the other hand, if your policy-makers want to get a piece of the big revenue stream and positive PR that Verisign and Earthlink got when they deployed similar schemes, there isn't much I can do other than channel Randy Bush at you....
* very.luke@gmail.com (Luke Besson) [Thu 19 Oct 2006, 14:51 CEST]:
I work for a big French ISP and I manage the DNS architecture (based on Linux+Bind); Golog proposed to our society the DNS redirect service (redirect all the not existant domains according to marketing criteria). [..] Can you suggest me any objective reason in order to invalidate this proposal?
http://www.icann.org/committees/security/ssac-report-09jul04.pdf HTH -- Niels. -- This message shall not be carried in aircraft on combat missions or when there is a reasonable chance of its falling into the hands of an unfriendly nation, unless specifically authorised by the Author.
participants (4)
-
Luke Besson -
Niels Bakker -
Simon Waters -
Valdis.Kletnieks@vt.edu