[registrars] FYI: IAB Architectural statement on the use of wildcards in the DNS

Mike Lampson lampson at iaregistry.com
Tue Sep 23 14:18:29 UTC 2003 

SECSAC has also released a statement:

  http://www.icann.org/correspondence/secsac-to-board-22sep03.htm

They are continuing to gather information and are planning a public meeting
in Washington, DC on October 7th.  Follow the link above for more details.

Their preliminary recommendations are as follows:

---

RECOMMENDATIONS

Recognizing the concerns about the wildcard service, we call on VeriSign to
voluntarily suspend the service and participate in the various review
processes now underway.

We call on ICANN to examine the procedures for changes in service, including
provisions to protect users from abrupt changes in service.

We call on the IAB, the IETF, and the operational community to examine the
specifications for the domain name system and consider whether additional
specifications could improve the stability of the overall system. Most
urgently, we ask for definitive recommendations regarding the use and
operation of wildcard DNS names in TLDs and the root domain, so that actions
and expectations can become universal. With respect to the broader
architectural issues, we call on the technical community to clarify the role
of error responses and on the separation of architectural layers,
particularly and their interaction with security and stability.

---



-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org]On Behalf Of Eric
Brunner-Williams in Portland Maine
Sent: Monday, September 22, 2003 6:16 PM
To: Registrars at dnso.org
Subject: [registrars] FYI: IAB Architectural statement on the use of
wildcards in the DNS


All,

This came out today.

Eric

------- Forwarded Message

Return-Path: owner-ietf-announce at ietf.org
Delivery-Date: Mon Sep 22 14:00:15 2003
Return-Path: <owner-ietf-announce at ietf.org>
Received: from asgard.ietf.org (asgard.ietf.org [132.151.6.40])
	by nic-naa.net (8.12.6/8.12.6) with ESMTP id h8MI0D2U059165
	for <brunner at nic-naa.net>; Mon, 22 Sep 2003 14:00:14 -0400 (EDT)
	(envelope-from owner-ietf-announce at ietf.org)
Received: from majordomo by asgard.ietf.org with local (Exim 4.14)
	id 1A1UKS-0006yM-GX
	for ietf-announce-list at asgard.ietf.org; Mon, 22 Sep 2003 13:18:28 -0400
Received: from ietf.org ([10.27.2.28])
	by asgard.ietf.org with esmtp (Exim 4.14)
	id 1A1UAp-0006s8-7L
	for all-ietf at asgard.ietf.org; Mon, 22 Sep 2003 13:08:31 -0400
Received: from CNRI.Reston.VA.US (localhost [127.0.0.1])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA25752
	for <all-ietf>; Mon, 22 Sep 2003 13:08:24 -0400 (EDT)
Message-Id: <200309221708.NAA25752 at ietf.org>
From: Harald Tveit Alvestrand <harald at alvestrand.no>
To: IETF-Announce: ;
Subject: IAB Architectural statement on the use of wildcards in the DNS
Date: Mon, 22 Sep 2003 13:08:24 -0400
Sender: owner-ietf-announce at ietf.org
Precedence: bulk

 The Internet Architecture Board has issued a statement on Architectural
 concerns on the use of DNS wildcards.

 The full text is available from
 <http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html>

 Abstract:
 -----------------------------------------------------------------
 There are many architectural assumptions regarding DNS behavior that are
 not specified in the IETF standards documents describing DNS, but which are
 deeply embedded in the behavior of Internet protocols and applications.
 These assumptions are inherent parts of the network architecture of which
 the DNS is one component.

 It has long been known that it is possible to use DNS wildcards in ways
 that violate these assumptions.

 Recent deployments of DNS wildcards with A records at high levels in the
 DNS tree have shown by experience that the cost of violating these
 assumptions is significant. In this document we provide an explanation of
 how DNS wildcards function, and many examples of how their injudicious use
 negatively impacts both individual Internet applications and indeed the
 Internet architecture itself.

 In particular, we recommend that DNS wildcards should not be used in a zone
 unless the zone operator has a clear understanding of the risks, and that
 they should not be used without the informed consent of those entities
 which have been delegated below the zone.
 ------------------------------------------------------------------
 The contact person for the IAB on this matter is Harald Alvestrand
 <harald at alvestrand.no>.



------- End of Forwarded Message

More information about the registrars mailing list