Re: More 0x20 craziness
--On 29 August 2008 19:41:57 +0000 Paul Vixie <firstname.lastname@example.org> wrote:
> note that many "nameservers" just don't answer some of the queries i'm
> saying we should send to protect the authority section. the NS's for
> [url]www.cnn.com[/url] just time out on "dig @dmtns01.turner.com.
> kjhsdfkjhsdf.[url]www.cnn.com[/url] in a". this is clearly not a real name server,
> it's a dns middlebox of some kind, one of many that does the wrong thing.
> (i don't mind somebody who doesn't answer NS queries since these are
> always diagnostic in nature, but someone who won't send a delegation
> unless they recognize the qname is just evil.) ((thanks to dan kaminsky's
> blog for pointing out the CNN example, and to robert edmonds who shared
> it with me.))[/color]
Well, I think breaking resolution for ADNS (or more accurately middlebox
infested ADNS) which are clearly and irrefutably non-compliant is an
acceptable price given vendors have now some time to fix it, assuming
the population isn't that large - after all port randomisation broke
many dubious firewall configs and was deemed acceptable, and I suspect
the total number of broken DNS middleboxen is far smaller than this.
I'm sure cnn.com have a vested interest in making sure cnn.com continues
to resolve, and far more ability to make sure it does than your
average Joe firewall user.
to unsubscribe send a message to [email]email@example.com[/email] with
the word 'unsubscribe' in a single line as the message text body.