North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Interesting new dns failures
- From: David Ulevitch
- Date: Thu May 24 03:02:33 2007
Douglas Otis wrote:
On May 22, 2007, at 2:16 PM, Gadi Evron wrote:
On Tue, 22 May 2007, David Ulevitch wrote:
These questions, and more (but I'm biased to DNS), can be solved at
the edge for those who want them. It's decentralized there. It's
done the right way there. It's also doable in a safe and fail-open
kind of way.
This is what I'm talking about.
Agreed.
Gadi,
What is the downside of a "preview" of zones being published by a
TLD? Previews could be on a 12 or 24 hour cycle. This would enable
defenses at the edge by disabling fast-flux outright. There could be
exceptions, of course. When millions of domains are in rapid flux
daily, few protective schemes are able to sustain or afford the
dispersion of raw threat information. In addition, these raw updates
arrive too late at that. A "preview" would not change how the core
works, only how fast changes occur, while also dramatically reducing
the amount data required for comprehensive protections at the edge.
This would be a policy change at the core that enables defenses at the
edge.
Lots of people already track newly added domains. Rick Wesson runs a
feed called Day old bread that is just such a feed.
Again, good idea, but doesn't belong in the core. If I register a
domain, it should be live immediately, not after some 5 day waiting
period. On the same token, if you want to track new domains and not
accept any email from me until my domain is 5 days old, go for it. Your
prerogative.
-david
-Doug
|