Re: Interesting new dns failures

["Fergie" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- David Ulevitch <davidu () everydns net> wrote:

> But very few people (okay, not nobody) are saying, "Hey, why should I 
allow that compromised windows box that has never sent me an MX request 
before all of the sudden be able to request 10,000 MX records across my 
resolvers?"  "Why am I resolving a domain name that was just added into 
the DNS an hour ago but has already changed NS servers 50 times?"
> These questions, and more (but I'm biased to DNS), can be solved at the 
edge for those who want them.  It's decentralized there.  It's done the 
right way there.  It's also doable in a safe and fail-open kind of way.
>

David,

As you (and some others) may be aware, that's an approach that we
(Trend Micro) took a while back, but we got a lot (that's an
understatement) of push-back from service providers, specifically,
because they're not very inclined to change out their infrastructure
(in this case, their recursive DNS) for something that could identify
these types of behaviors.

And actually, in the case you mentioned above -- to identify
this exact specific behavior.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)

wj8DBQFGU2NQq1pz9mNUZTMRAn5EAKCxlJ6uAkM+GMK15oCezkBVXHcBpgCeLuzK
Sn4ppcRBy8Nbc5MJU+zYiSE=
=+JDX
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/