On Sep 29, 2011, at 4:06 PM, Bill Owens wrote: > I've obviously been asleep and not following along with the announcements of > new features in BIND 9.9 until today
I'm happy you read it, and hope to see you at the forum/customer webinar next week! I'll be speaking, and will bring my fireproof undies. > . . . both Evan's blog post > <http://www.isc.org/community/blog/201109/isc-bind-990a1-feature-preview> and > the announcement of next week's webinar include NXDOMAIN redirection as the > first new feature. I'm really surprised by that - is this something that BIND > users were clamoring for? Yes. > Or is it a situation where other servers were providing this feature, and > BIND needed it to maintain parity? Yes. > Obviously those of us who find this idea disturbing don't need to enable it, > and DNSSEC provides an effective defense against those who would enable it* > but it still leaves me curious. We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrusively -- than BIND 9.9 will. > *except that perhaps those who enable this feature will use it as an excuse > to avoid enabling validation, which would be a very bad result, IMO. . . That's perhaps the case, but once again, it's up to the ISP ultimately. Don't think that just because BIND 9 didn't do this before, that people didn't. They instead use a proxy which filters answers, for instance, and returns whatever they want to the customer. --Michael _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
