[wildcard-comments] Comments on Verisign Wilcard RR deployment
I have several comments relating to Quris' experiences after Verisign deployment of wildcard RRs. Many back up others' experiences.
We invested several hours redeploying DNS services at Quris to work around the wildcard records. The reasons:
1) SPAM filtering on our corporate mail gateway because much less effective, due to inability to check for bogus domains. The patched BIND server was necessary to regain control of at least some filtering.
2) We have several programs to test domain mail deliverability. These became less useful since the tools now believe that every domain exists and has a listening mail server.
3) We do mail delivery for Fortune 500 customers. These customers, some banking institutions, are very concerned about customer privacy. It is impossible to guarantee privacy when we know that Verisign is "routing delivery" on email addresses with possibly mis-entered domains. We need to regain the original behavior to ensure that such mail does not leave our network.
4) We recently debugged an application slowdown (Veritas NetBackup). Ultimately, we determined that the application was making a reference to a heretofore nonexistent host, harmlessly. After all such nonexistent hosts gained a real IP address, the application slowed down, trying to talk to Verisign's SiteFinder IP address. We wasted too much time looking for a situation that was not obvious and should (IMHO) not happen.
Thanks for the opportunity to relay this information. -Alan
-- Alan Sparks, Sr. UNIX Administrator asparks@xxxxxxxxx Quris, Inc. (720) 836-2058