NXDOMAIN redirection in BIND 9.9

刘明星:) liumingxing at cnnic.cn
Fri Sep 30 01:32:32 UTC 2011 

How does ISP use a proxy to filters answers and returns whatever they want to the customer?



Mingxing, Liu
CNNIC
liumingxing at cnnic.cn 



发件人: Michael Graff 
发送时间: 2011-09-30  05:52:48 
收件人: owens 
抄送: bind-users 
主题: Re: NXDOMAIN redirection in BIND 9.9 
 
On Sep 29, 2011, at 4:06 PM, Bill Owens wrote:
> I've obviously been asleep and not following along with the announcements of new features in BIND 9.9 until today
I'm happy you read it, and hope to see you at the forum/customer webinar next week!  I'll be speaking, and will bring my fireproof undies.
> . . . both Evan's blog post <http://www.isc.org/community/blog/201109/isc-bind-990a1-feature-preview> and the announcement of next week's webinar include NXDOMAIN redirection as the first new feature. I'm really surprised by that - is this something that BIND users were clamoring for?
Yes.
> Or is it a situation where other servers were providing this feature, and BIND needed it to maintain parity?
Yes.
> Obviously those of us who find this idea disturbing don't need to enable it, and DNSSEC provides an effective defense against those who would enable it* but it still leaves me curious.
We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to.  The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrusively -- than BIND 9.9 will.
> *except that perhaps those who enable this feature will use it as an excuse to avoid enabling validation, which would be a very bad result, IMO. . .
That's perhaps the case, but once again, it's up to the ISP ultimately.  Don't think that just because BIND 9 didn't do this before, that people didn't.  They instead use a proxy which filters answers, for instance, and returns whatever they want to the customer.
--Michael
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110930/20903c95/attachment.html>

More information about the bind-users mailing list