Re: [sitefinder-tech-discuss] Technical issues encountered by a k12 site

[Mo McKinlay <mo.mckinlay@cirrus-multimedia.ltd.uk>]

On Tue, Oct 07, 2003 at 10:07:54PM -0400, Andrew Newton wrote:

> >1) Our spam filter utilizes an NXDOMAIN response to recognize
> >non-existent domains and therefore does not allow mail from
> >them.  Some spam is sent this way.  Whois is not an acceptable
> >replacement for this because it is massively inaccurate.
> 
> I agree that nicname/whois is not the correct solution for your problem. 
>  One method this type of check is to compare the result of the forward 
> domain query against the result of a query for the wildcard (e.g. if 
> example.com == *.com).

I don't wish to be a killjoy, but Jeremy's spam filter isn't broken - and
doesn't need fixing. Sure, Jeremy might rewrite his filter (unlikely from
the outset), but what about everybody else?

> >2) Microsoft name resolution on newer operatin systems goes
> >through the stages of file, DNS, NetBIOS.  For a school district
> >that has implemented a Windows domain that does not exist in DNS
> >and is therefore resolved in the NetBIOS stage, 
> >the wildcard causes resolution of names to cease at the
> >DNS stage because that stage never returns the expected NXDOMAIN.
> >Implementation of a local DNS for the non-existent domain will
> >resolve this.
> 
> There are two solutions for picking a non-existant name for such 
> purposes.  The first is to pick a non-existant name within a domain 
> delegation for which you have control (e.g. if you have been delegated 
> example.com, then use does-not-exist.example.com).  The second solution 
> is to pick a name within the reserved TLD's specified in BCP 32 / RFC 
> 2606.  These TLD's are .example, .test, .invalid, and .localhost.

I can see everybody rushing to change their workgroup name to
'example', 'test', 'invalid' or 'localhost'. Workgroup names cannot contain
periods (certainly in recent versions of Windows), so a subdomain just
doesn't work - but in that situation, "myhost.workgroup" wouldn't resolve to
anything anyway, until .workgroup becomes a gTLD (God forbid).

The practical solution there is either to make sure your workgroup name
doesn't contain a period, or doesn't end in a real TLD.

I've got less sympathy in this case, because it's Microsoft who are making
rash assumptions. However, end-users didn't decide this, and it's now
accepted practice, for better or for worse.

I don't see a whole lot of point in hashing out workarounds for the wildcard
as-was, because in the end, they're going to boil down to "ask your ISP to
install the BIND patches and force .com and .net to be delegation-only").
I've suspected for a while now that said patches will be enabled by any ISP
worth its salt should SiteFinder make a reappearance in its previous form.

Anything else is fighting against millions of users' worth of accepted
practice, irrespective of what the PR might say.

Mo.

-- 
E: mo.mckinlay@cmlx.co.uk
T: +44 (0) 709 200 3083
W: http://cmlx.co.uk/