(WEB HOST INDUSTRY REVIEW) — A report from the Internet Corporation for Assigned Names and Numbers (www.icann.org) outlines the harms and concerns posed by NXDOMAIN substitution, commonly implemented by the use of DNS wildcard, at the registry level.
ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in new and existing generic and country-specific top-level domains, as well as any other level in the DNS tree for registry-class domain names. In its report published Tuesday, ICANN staff reported the harms and concerns posed by the use of redirection and synthesizing of DNS responses, and ultimately the need to ensure the integrity of error responses and name resolution.
In accordance with its core value number one “Preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet,” the report released Tuesday found that DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution should not, under normal circumstance, be used in the DNS tree for registry-class domain names.
If a gTLD, ccTLD or registry-class domain manager intends to offer a service that depends on NXDOMAIN substitution, ICANN recommends it consult technical experts (such as the Internet Architecture Board, or the Security and Stability Advisory Committee) on the possible effects of such implementation, and submit the proposal for global public scrutiny before implementation.
Over the past year, ICANN has been taking measures to inform stakeholders about the use of redirection and synthesizing of DNS responses collectively known as NXDOMAIN substitution.
In June, the SSAC published an advisory, stating that the redirection and synthesizing of DNS responses (such as DNS wildcard) by TLDs poses a clear and significant danger to the security and stability of the Domain Name System. Also, at its public meeting in Sydney in June 2009, the ICANN Board of Directors resolved that new top-level domains should not use DNS redirection and synthesizing of DNS responses.
A longtime opponent of the redirection and synthesizing of DNS responses, the SSAC summarized its findings as follows in a 2004 report:
“Synthesized responses should not be introduced into top-level domains (TLDs) or zones that serve the public, whose contents are primarily delegations and glue, and where delegations cross organizational boundaries over which the operator may have little control or influence. Although the wildcard mechanism for providing a default answer in response to DNS queries for uninstantiated names is documented in the defining RFCs (Requests for Comment), it was generally intended to be used only in narrow contexts (for example, MX records for e-mail applications), generally within a single enterprise…”
Today’s report will lend more weight to SSAC’s claims, which will, in turn, make the Internet more secure.
