North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Verisign Responds

  • From: Daniel Karrenberg
  • Date: Tue Sep 23 04:16:26 2003

On 23.09 06:07, Paul Vixie wrote:
>         We call on the IAB, the IETF, and the operational community to
>         examine the specifications for the domain name system and consider
>         whether additional specifications could improve the stability of
>         the overall system. Most urgently, we ask for definitive
>         recommendations regarding the use and operation of wildcard DNS
>         names in TLDs and the root domain, so that actions and expectations
>         can become universal. With respect to the broader architectural
>         issues, we call on the technical community to clarify the role of
>         error responses and on the separation of architectural layers,
>         particularly and their interaction with security and stability.
> 
> and it does seem rather urgent that if a wildcard in the root domain or in
> a top level domain is dangerous and bad, that the ietf say so out loud so
> that icann has a respected external reference to include in their contracts.

The IAB has done an excellent job with 
http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html.
I quote:

"...
Proposed guideline: If you want to use wildcards in your zone and
understand the risks, go ahead, but only do so with the informed consent
of the entities that are delegated within your zone. 

Generally, we do not recommend the use of wildcards for record types
that affect more than one application protocol.  At the present time,
the only record types that do not affect more than one application
protocol are MX records. 

For zones that do delegations, we do not recommend even wildcard MX
records.  If they are used, the owners of zones delegated from that zone
must be made aware of that policy and must be given assistance to ensure
appropriate behavior for MX names within the delegated zone.  In other
words, the parent zone operator must not reroute mail destined for the
child zone without the child zone's permission. 

We hesitate to recommend a flat prohibition against wildcards in
"registry"-class zones, but strongly suggest that the burden of proof in
such cases should be on the registry to demonstrate that their intended
use of wildcards will not pose a threat to stable operation of the DNS
or predictable behavior for applications and users. 

We recommend that any and all TLDs which use wildcards in a manner
inconsistent with this guideline remove such wildcards at the earliest
opportunity."

What else does the IETF need to do here?

This should be enough of an expert opinion for ICANN and others 
like the US DoC in the sort term. Verisign have realised that and
are talking about an -so far vapour- expert panel to counter that.
I wonder about its composition .....

Daniel