Re: Interesting new dns failures

["Chris L. Morrow" <christopher.morrow () verizonbusiness com>]

On Mon, 21 May 2007, Gadi Evron wrote:
> On Mon, 21 May 2007, Chris L. Morrow wrote:
> > On Mon, 21 May 2007, Gadi Evron wrote:
> > > Small note: For regular fastflux, yes. for NS fastflux, not so much.
> >
> > For regular FF 'yes' but for ns FF not much? Hrm, not much legit purpose?
> > or not much the root/tld folks can do?
> >
> > I ask because essentially akamai's edgesuite (and I might have their
> > product names confused some) seems to do FF ... or the same thing FF does.
> > Doesn't it?
>
> I don't know of many if any who change the NS record quite so frequently
> without being bad guys.

ok, so 'today' you can't think of a reason (nor can I really easily) but
it's not clear that this may remain the case tomorrow. It's possible that
as a way to 'better loadshare' traffic akamai (just to make an example)
could start doing this as well.

So, I think that what we (security folks) want is probably not to
auto-squish domains in the TLD because of NS's moving about at some rate
other than 'normal' but to be able to ask for a quick takedown of said
domain, yes? I don't think we'll be able to reduce false positive rates
low enough to be acceptable with an 'auto-squish' method :(

-Chris