--On 29 August 2008 19:41:57 +0000 Paul Vixie wrote:

> note that many "nameservers" just don't answer some of the queries i'm
> saying we should send to protect the authority section. the NS's for
> www.cnn.com just time out on "dig @dmtns01.turner.com.
> kjhsdfkjhsdf.www.cnn.com in a". this is clearly not a real name server,
> it's a dns middlebox of some kind, one of many that does the wrong thing.
> (i don't mind somebody who doesn't answer NS queries since these are
> always diagnostic in nature, but someone who won't send a delegation
> unless they recognize the qname is just evil.) ((thanks to dan kaminsky's
> blog for pointing out the CNN example, and to robert edmonds who shared
> it with me.))

Well, I think breaking resolution for ADNS (or more accurately middlebox
infested ADNS) which are clearly and irrefutably non-compliant is an
acceptable price given vendors have now some time to fix it, assuming
the population isn't that large - after all port randomisation broke
many dubious firewall configs and was deemed acceptable, and I suspect
the total number of broken DNS middleboxen is far smaller than this.
I'm sure cnn.com have a vested interest in making sure cnn.com continues
to resolve, and far more ability to make sure it does than your
average Joe firewall user.


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.