Date: 25 Jan 2001 10:32:27 -0000
From: "D. J. Bernstein" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
| Elz seems to understand that the www.monty.de disaster is a powerful
| argument against the relevant aspects of the DNS design. So now he's
| denying the facts. He wants you to believe that www.monty.de is okay.
No I don't. Read the messages). Their setup is bogus (and probably not
directly their fault - other than by choosing an inept ISP). The
difference is that you're arguing that because it is possible to abuse the
delegation process, the process should be changed. On the other hand
I say that most of the time it all works just fine, and that altering
the process because of a few hard cases (I'm sure you can find more
than just this one if you look) is the wrong attitude. There are millions
of delegations that work just fine - they all could work just fine if
configured rationally.
| Don't be an idiot. That packet is straight from {ns,ns2}.norplex.net.
| What you had in your cache was the addresses of those servers.
Yes, most likely. As I said, in practice, accesses to that name
probably work well enough that the name owner isn't too bothered
about it. The setup is still bogus, and should be fixed though.
If the owner of the domain were worried, the correct recourse would
be to change to an ISP that knows how to setup the DNS properly
(or at least has lucked upon something that is adequate).
| Don't be an idiot. In practice, most caches don't have the *.norplex.net
| addresses lying around when they are asked about www.monty.de.
They probably do, if they're asked about the name often enough for it
to matter. If you start at a clean cache and ask once, you're
probably right, it will fail. The vast majority of the users probably
don't even give that a second thought - things failing is somehow
treated as "normal". So they try again - and by this time the
cache has more info, either enough for it to succeed, or at least
get a lot further (and then perhaps third time lucky).
And no, this is not good - but it is because the delegation system
has been abused. And no, I do not think we need to make the system
idiot proof. And I also don't know of any way of doing server
side indirection that would both be any better (which means that
human maintenance is out of the question) and actually implementable
the way the DNS should be working (the difficulty of signing a
record the server invents out of other data makes it a non-trivial
problem).
kre
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
