Moin!
On 12.07.2009, at 10:30, Florian Weimer wrote:
Few players perform NXDOMAIN rewriting. Instead, ANCOUNT=0 rewriting
is used. This causes all kinds of problems, including redirections
for example.com when it hasn't got an A record (where some browser
would just fall back to www.example.com), and bad interactions with
IPv6 deployment (because all IPv6-only hosts suddenly have got an A
record).
That really is an issue and could be addressed, there are a lot of
case where a A record for a domain doesn't exists, but one for
www.domain does exist. Question then would be how that rewrite
should be presented. As a normal A answer or as CNAME referral which
might be better as the underlying web server might not answer for
the domain without www.
The malicious site protection does not work reliably because it can be
easily bypassed by the attacker, using IP addresses.
Correct, but that hasn't stopped several governments from passing laws
that exactly mandate this.
Section 5.3 is pretty explicit in that government-mandated filtering
decisions should be made by executive organs, and not the judiciary.
The IETF should not try to regulate this and should certainly show
more respect for separation of powers.
That is not the intention and not what I read there. Diversion of
powers is a concept that is not even common among "western
democracies". The text tries to stay away from these political
issues, and instead makes clear that the local law, goverenment or
jurisdictions should be honored where appropriate.
It should mention that
DNS-based filtering is not acceptable to many governments because it
can be bypassed easily, and it is not possible to block content on
popular sites where the collateral damage of a domain-wide block would
be problematic.
Again this is out of scope of the document. There may be countries
that don't see it appropriate, but there are also countries that
see it as appropriate including the one we two live in.
[..]
No redirection on SERVFAIL seems to be a strange recommendation.
Wouldn't this be a very good reason to provide a diagnostics page,
especially if there's been a DNSSEC validation failure?
This sounds like an excellent idea to help DNSSEC adoption and
is something that should go into the draft.
So long
-Ralf
---
Ralf Weber
Platform Infrastructure Manager
Colt Telecom GmbH
Herriotstrasse 4
60528 Frankfurt
Germany
DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780
Fax: +49 (0)69 56606 6280
Email: r...@colt.net
http://www.colt.net/
Data | Voice | Managed Services
Schütze Deine Umwelt | Erst denken, dann drucken
*****************************************
COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschland
* Tel +49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 *
Geschäftsführer: Dr. Jürgen Hernichel (Vors.), Rita Thies *
Amtsgericht Frankfurt/Main HRB 46123 * USt.-IdNr. DE 197 498 400
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
