Bind 9, Wildcard Records and Road Runner

Sat Oct 9 11:05:20 UTC 2004

>>>>> "Anthony" == Anthony Eden <anthony at sdc-hawaii.co.mp> writes:

    Anthony> When a .mp domain is registered their site and associated
    Anthony> services are automatically created and are immediately
    Anthony> available for the customers use.  We accomplish this by
    Anthony> using a wildcard DNS record in bind for all .mp domains:

    Anthony> *.mp.  IN A 66.135.225.102

    Anthony> This record can be found in the mp zone file. 

You should remove this wildcard RR. It is dangerous and evil. You'll
be repeating the Verisign SiteFinder debacle. The IAB document
"Architectural Concerns on the Use of DNS Wildcards" provides a very
good explanation of the problem space and why this use of wildcards is
usually a Very Bad Idea. It's at
	http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html

A careful study of the ICANN pages on SiteFinder is also strongly
recommended. Start at:
	http://www.icann.org/topics/wildcard-history.html. 

Pay particular attention to the Security & Stability Committee's
report and recommendations on this incident. The Internet Community
comments show some of the very real problems that were created by the
addition of a wildcard RR in a TLD. The SECSAC report has lots more
detail on these problems. Repeating these troubles in .mp -- or any
other TLD for that matter -- would be Bad News.

Yes, a few TLDs have wildcard RRs in them. In some cases these exist
because of legacy issues. In others, they are for well-understood
purposes. That does not mean it's OK to just add one to .mp. You
should consult widely on this and check with ICANN before proceeding.

    Anthony> For most ISPs this works perfectly.  You can visit any
    Anthony> dotMP site and it will resolve on both your computer and
    Anthony> mobile phone.  

Many DNS administrators use the delegation-only feature of BIND9 to
ignore wildcard records in a TLD zone. Consult the BIND documentation
for more details. My guess is Road Runner is one ISP who uses this
feature. There are bound to be many others. You would probably have to
convince everyone using this feature to switch it off for .mp. Which
is highly unlikely even if it was logistically possible for you to
contact every DNS administrator on the planet who uses BIND. So you end
up with an unstable and inconsistent TLD. For some parts of the world,
.mp won't behave the way you want it to. Users are likely to perceive
this as a problem with the TLD (ie you). They won't blame their ISP
who has deployed defensive measures against wildcards in TLDs, like
the BIND delegation-only feature. In fact your comments about Road
Runner customers suggests this appears to already have happened.

This wildcard record will probably create many more problems than it
solves. For new registrations, the wildcard will work for some
users. For some definition of work. For many others -- like spam
filtering, privacy, misaddressed email, web browsing, error detection,
etc -- this wildcard will break things. Remember the wildcard will
match any non-existent name from any application that makes a DNS
query in .mp. Those won't just come from users typing URLs into their
web browsers who then want to register that name.