> On Oct 3, 2016, at 6:31 PM, Warren Kumari <war...@kumari.net> wrote: > > ... and just for the record, much much more could have been determined > (and users better warned / informed) if the address handed out was a > server which displayed an error / links to more information[0], or if > the name-servers serving the wildcard were required to collect and > publish information and statistics. This would have allowed analysis > of the effectiveness of the mitigations, etc. > > Yup, I'm beating a dead-horse here, but people keep rediscovering the topic. > > W > [0]: This could have a webserver which localized the page (based on IP > / Accept-Language), a mailserver with a useful error, SSH / telnet > banners, etc. I figured out ~20 protocols which allowed some sort of > useful banner return. The logs could have been anonymized, or only > statistics saved…
No surprise .. Warren and I still agree here! Further, I still believe that enterprise network operators need safe haven name space (e.g., intuitively, perhaps, .corp, .home, and .mail, rather than the currently but [not assuredly] reserved .gnso, .icann, .iab, .rir, .ietf, and the like) if they don’t want to be tethered to the global DNS, for whatever reason. Heck, then we could even allow internal names certificates again (in those name spaces, where appropriate) and not force leakage of internal system names via the likes of Certificate Transparency - since we just went through all that trouble to develop qname minimization et al. -danny
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
