On 7/15/09 6:03 AM, Tony Finch wrote:
On Tue, 14 Jul 2009, SM wrote:
Could one of the authors of the document clarify off-list whether the
connectivity provided by an ISP using DNS redirect services is labelled as
Full Internet connectivity?
According to the definitions in RFC 4084, the only one that applies to an
ISP with lying resolvers as described in this draft is "web connectivity".
This could be extended to other protocols, but that depends on explicit
support from the landing server. In some respects the service model
described in the draft is less than web connectivity, because it doesn't
support https.
Domain registrants will probably want to enable DNS wildcards to get
around DNS redirects, if the practice of DNS redirects by ISPs is
widespread. TLDs without DNS wildcards might resort to it too. The
authors of this document may wish to consider the long term effects.
Many techniques could allow actors to bypass name redirects erected to
restrain exchanges with compromised systems or content. It should be
assumed no interchange is reliably constrained by DNS redirection. For
example, actors might leverage search domains and have these act as a
substitute root zone. This technique has caused some countries to take
the next step of blocking labels, and not just FQDNs. :^(
When an ISP Blocks at the point of access (while still allowing egress
for VoIP and other critical modes of communication) this would offer
more comprehensive control, than obtained by name redirection. When
done at the access point, blocking might leverage IP address exceptions
rather than the spoofing of domain names. Much of this might also be
done using BGP.
More comprehensive results could be achieved by modifying DSL/Cable
modems, routers, or SOHO equipment rather than having ISPs block and/or
modify DNS answers. Name redirection, when defeated, will make problems
more difficult.
-Doug
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
