From: Mustafa Akgul (akgul@Bilkent.EDU.TR)
Date: Mon 22 Sep 2003 - 09:39:08 EDT
Subject: IAB Commentary: Architectural Concerns on the use of DNS Wildcards
Date: Mon, 22 Sep 2003 23:31:12 +1000
From: Andrew McNamara <andrewm@object-craft.com.au>
The IAB provides technical guidance to ICANN, so this is significant. ICANN
had previously asked Verisign to "suspend the service until the various
reviews now underway are completed".
http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html
IAB Commentary: Architectural Concerns on the use of DNS Wildcards
There are many architectural assumptions regarding DNS behavior that
are not specified in the IETF standards documents describing DNS,
but which are deeply embedded in the behavior of Internet protocols
and applications. These assumptions are inherent parts of the network
architecture of which the DNS is one component. It has long been
known that it is possible to use DNS wildcards in ways that violate
these assumptions.
Recent deployments of DNS wildcards with A records at high levels
in the DNS tree have shown by experience that the cost of violating
these assumptions is significant. In this document we provide an
explanation of how DNS wildcards function, and many examples of how
their injudicious use negatively impacts both individual Internet
applications and indeed the Internet architecture itself.
In particular, we recommend that DNS wildcards should not be used
in a zone unless the zone operator has a clear understanding of the
risks, and that they should not be used without the informed consent
of those entities which have been delegated below the zone.
[continues]
-- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/