> At 13:12 -0400 9/16/03, Keith Moore wrote: > >I strongly disagree. The DNS is the ultimate authority on whether a > >domain exists, since the way you create a domain is by making an > >entry in the DNS. Making existence of a domain depend on a > >separate registry makes no sense and is inconsistent with > >longstanding practice. > > DNS is the ultimate authority on whether there is an DNS answer to a > DNS query, but that's about it. What a DNS server answers is based > on what is in the registry it represents.
What a DNS server answers is based on what is in the zone it represents. Not all zones have registries. > To quote what I wrote on the provreg list in > http://www.cafax.se/ietf-provreg/maillist/2001-09/msg00164.html: > > "DNS names [...] are limited to 255 octets, which is about 2K bits, > and 2^2k possibilities minus special cases. Boom - all names exist." You didn't actually cite any support for your statement. And the existence of the NXDOMAIN response code contradicts that statement. > The point is, before saying that DNS makes any statement about > "existence" you need to define "exists for what purpose." That's beside the point. NXDOMAIN is still a meaningful condition even though you can't tell what a domain means if it does exist. > >that's not the same thing at all. DNS is not the authority for > >whether a device is connected to the net. DNS is the authority on > >whether a DNS name exists. > > In engineering the DNS, "com." has been and still is a peculiar case > and there has been the temptation to tailor the DNS protocol to > accommodate it. The community has said time and again not to do so - > not to treat that zone (and the others growing like it) as special > cases. I think turnabout is fair play - that we not restrict "com." > and the others from using what's in DNS protocol. It is never appropriate to make wildcard assertions about names within a zone if those assertions are not true. If all of the names in foo.example.com zone will always be associated with address a.b.c.d, it's reasonable to set up a wildcard A record for that zone. Otherwise it is not reasonable. This is no less true for com or net than for foo.example.com COM and NET are supposed to reflect their respective registries - this isn't itself a DNS protocol issue but part of the arrangement for managing those zones. VeriSign is making assertions about names that don't exist in the registries. (It also happens that those assertions are disruptive to the operation of protocols when those protocols use names in those zones, and that *is* a protocol issue) Keith
