North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hey, SiteFinder is back, again...

  • From: Patrick W. Gilmore
  • Date: Mon Nov 05 11:55:49 2007

On Nov 5, 2007, at 10:54 AM, Andrew Sullivan wrote:
On Sun, Nov 04, 2007 at 08:32:25AM -0500, Patrick W. Gilmore wrote:

A single provider doing this is not equivalent to the root servers doing it. You can change providers, you can't change "." in DNS.

This is true, but Verisign wasn't doing it on root servers, IIRC, but on the .com and .net TLD servers. Not that that's any better.

Touché. Guess I wasn't awake when I wrote that. But .com/.net is still bad (as you say).

The last time I heard a discussion of this topic, though, I heard
someone make the point that there's a big difference between
authority servers and recursing resolvers, which is the same sort of
point as above.  That is, if you do this in the authority servers for
_any_ domain (., .com, .info, or for that matter),
it's automatically evil, because of the meaning of "authority".  One
could argue that it is less evil to do this at recursive servers,
because people could choose not to use that service by installing
their own full resolvers or whatever.  I don't know that I accept the
argument, but let's be clear at least in the difference between doing
this on authority servers and recursing resolvers.

I would argue against such a blanket statement. Doing this in an authority for a TLD is bad, because most people don't have a choice of TLD. (Or at least think they don't.)

But if I want to put in a wildcard for *, then there is nothing evil about that. In fact, I've been doing so for years (just 'cause I'm lazy), and no one has even noticed. It is my domain, I should be allowed to do whatever I want with it as long as I pay my $10/year and don't use it to abuse someone else.

Hijacking user requests on caching name servers is very, very bad, because 1) the user probably doesn't know they are being hijacked, and 2) even if the user did, most wouldn't know how to get around it. So you're back to the TLD authority problem, there is no choice in the matter.