Are there just a couple of DNS server(s) per ISP? Do they run VPN's to sync up with the central DNS servers so that DNS spoofing is limited & DNS synchronization encrypted? Should be an easy solution for DNS spoofing except for public IP addresses which home users get. Again, they would be registered, so spoofing them would be difficult? -- Atul P.S: The opinions are my opinion and my responsibility. -----Original Message----- From: Edward Lewis [mailto:edlewis@arin.net] Sent: Tuesday, September 16, 2003 11:19 AM To: ietf@ietf.org Cc: Edward Lewis Subject: Re: [Fwd: [Asrg] Verisign: All Your ... At 13:12 -0400 9/16/03, Keith Moore wrote: >I strongly disagree. The DNS is the ultimate authority on whether a >domain exists, since the way you create a domain is by making an entry >in the DNS. Making existence of a domain depend on a separate >registry makes no sense and is inconsistent with longstanding practice. DNS is the ultimate authority on whether there is an DNS answer to a DNS query, but that's about it. What a DNS server answers is based on what is in the registry it represents. To quote what I wrote on the provreg list in http://www.cafax.se/ietf-provreg/maillist/2001-09/msg00164.html: "DNS names [...] are limited to 255 octets, which is about 2K bits, and 2^2k possibilities minus special cases. Boom - all names exist." The point is, before saying that DNS makes any statement about "existence" you need to define "exists for what purpose." In the message above, it was "exists so that I can't register it." In the wcard clarify draft in DNSEXT, it's "exists for the purposes of ruling out synthesis of the answer." >that's not the same thing at all. DNS is not the authority for whether >a device is connected to the net. DNS is the authority on whether a DNS >name exists. In engineering the DNS, "com." has been and still is a peculiar case and there has been the temptation to tailor the DNS protocol to accommodate it. The community has said time and again not to do so - not to treat that zone (and the others growing like it) as special cases. I think turnabout is fair play - that we not restrict "com." and the others from using what's in DNS protocol. I'm neither endorsing nor criticizing what has been added to "com." and "net." Let's just be fair, accurate, and on-topic (like, protocols) in the discussion. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer Sponge Bob Square Pants? I'm still trying to figure out the Macarena.