>If they can suck down all the top level zone files then it is easy >for them to publish an ALTERNATIVE DNS VIEW that contains their own >additions. Anyone who uses their view will then see the so-called >official DNS info as well as the overlay. When I see claims like this, I really have to wonder how well people understand the way that the DNS works. If you want to publish your own root that merges the real root (the one that the A through M root servers publish with advice from ICANN) with stuff of your own, you can do it now, and it wouldn't make any practical difference if you could AXFR every zone in the world. If you want to add your own TLDs, the easiest way to do it is to FTP the root zone, which is easy and quite legal to get, add in your own TLDs, and try and persuade people to use your servers. The root zone changes slowly, so downloading and remixing your root once a day would be plenty. If you want to offer mutant versions of popular TLDs, the most practical way to do that is with a semi-transparent proxy that serves up your versions of the stuff you want to change, and fetches the rest of the data from the real versions as needed. AXFR access to the popular TLDs would be useless, because the zones are so big. The gzipped version of the COM zone is about a gigabyte and takes several hours to download via my not very busy T1, and an AXFR would be two or three times that. Even if you had an OC3, you could never keep a mirror of COM up to date with AXFR, and while the other popular zones are smaller, they all update in less time than it'd take to AXFR a copy. No significant zone is propagated by AXFR now, and no useful mirror or alternate root would use it, either. The real reason that alternate roots haven't caught on is that there is no demand for them from the people who use the DNS. (There's plenty of demand from people who imagine they would get rich if they could own .WEB or .SEX or whatever, but that's irrelevant.) For all of the failings of the current roots and of ICANN, with which as a member of the ICANN ALAC I am extremely familiar, it works well enough for the things that people use it for, and that shows no sign of changing despite occasional efforts to screw it up like wildcards in TLD zones. With this in mind, I don't see much point in arguing about setting up something just like DNS but different. When we stick DKIM keys in TXT records with prefixed names scattered around the leaves of the DNS, it may injure some people's sense of propriety, but it doesn't break anything that works, and nobody other than DNS theologists care that it didn't use a new RR type. I have been publishing the contact info for abuse.net through the DNS for several years, using a specialized server (written in perl) that synthesizes TXT, A, and HINFO records on the fly from the underlying database. Works great, performs much better than the WHOIS and HTTP versions that preceded it, and doesn't break anything. Maybe some of my hacks won't work with DNSSEC, but we'll burn that bridge when we get to it. Regards, John Levine, johnl@xxxxxxxx, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "More Wiener schnitzel, please", said Tom, revealingly. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf