|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: VeriSign SMTP reject server updated
On Sun, 21 Sep 2003, Eric A. Hall wrote: > on 9/21/2003 11:19 AM E.B. Dreger wrote: > > > Return NOERROR for one type of RR, but NXDOMAIN for another? Is > > that valid?! Hit me with a clue-by-four if appropriate, but I > > thought NOERROR/NXDOMAIN was returned per-host, regardless of > > RRTYPE requested. Giving NXDOMAIN for MX yet returning NOERROR > > for A RRs doesn't sound kosher. > > It's not valid and it won't work very well if it works at all. Your local > cache will use whatever it learned on the last query. I didnt say it was valid :) just that if Verisign can't be stopped with their A record we might be able to mitigate on some of the things they broke (of course for a gtld to respond this way implies verisign actually implement this broken idea) > This is the seed for another problem set with the various workarounds as > well, although I'm still thinking these through. Different servers that > provide different kinds of glue could theoretically trip your cache. Maybe, needs more thought for sure.. > At this point, I think we're on the verge of having multiple (different) > namespaces, which is extremely dangerous. At the same time, the arguments > against multiple roots are pretty much going out the window. Not at all, the problem is with .com and .net ... you arent seriously going to use an alternative root using someone elses .com/.net zones surely.. > To be clear, however, I don't think the workarounds are the problem. I > think VeriSign has broken DNS by conflating error codes. Yup, it perhaps needs a couple more weeks for the dust to settle but early indications are that they do not intend to give this up without a fight and thus far no one has engaged them properly Steve
|