On 2/9/12 9:43 AM, "Lyle Giese" <l...@lcrcomputer.net> wrote: > This is just my opinion, but this is not a bug. It's the side effect of > a desirable feature called caching. > > Yea, we can brainstorm how to mitigate the effect, but in order to > mitigate a problem, we have to know that there is a problem(revoked or > bad domain). > > 1) How would we(as dns server operators) know when a domain name is > revoked? (Gee sounds like what the US government wants to do and it > seems the community does not like that idea and I agree it's a bad idea > to put the US DHS in charge of that list.)
+1 on less government (note: that doesn't mean lack of regulation, but it should be community driven IMCO). It really seems we need a "revoked domains" feed that could be used with RPZ to implement the desired local policy (or not, choice rocks). Obviously this would need to be hosted somewhere like other DNSBLs, but would also need a well defined mechanism (simple web services API?) for registrars to submit data...and then, of course, there's the issue of participation. That said, this isn't a threat to the DNS servers themselves... the main concern is that someone could maintain a revoked domain and possibly redirect folks there. Controlling access to "bad" domains, revoked or not, may be better accomplished by having local protection (think web proxy/AV scanning with 0-day signatures) that reduces the impact "rogue" domains could have on your organization. -- Work is the curse of the drinking classes. -- Mike Romanoff _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users