undefined | Better HN

0 pointsforgotaccount329d ago0 comments

> The bigger problem is the unbanning

The was my first thought as well. Yes, using the Safe Browsing list feels wrong, but I don't know enough to speak definitively in that regards. However wouldn't a relatively simple solution be that if a registrar is choosing to use some third party's list of banned DNS entries that the registrar then also implement sufficient unblocked components that will allow people to be unbanned from that third party?

> Add a DNS TXT or a CNAME record.

I haven't had a use-case for a TXT record come up yet, but isn't it low risk enough to allow domain owners to continue to configure TXT records even if the registrar wants to ban configuring other record types? Then the person in the article could prove ownership and could then get off of the third party ban list that the registrar was utilizing.

0 comments

ndriscoll29d ago

DNS can be thought of as a distributed KV store with built in caching suitable for low write high read use cases, so TXT makes sense for that. e.g. basic feature flagging can be accomplished that way with basically no work to set it up assuming you were already using DNS.

basilikum29d ago

The registry cannot ban individual record types. That is not how DNS works.

The registry only maintains a list of NameServers associated with the domain (and records for DNSSEC zone signing). Registries have nothing to do with regular records. They only record who defines those records.

roblabla29d ago

There is _some amount_ of justification to ban TXT. There have been a few cases of C2 servers using DNS to send instructions to malware, so letting TXT slip through the cracks would still allow for that.

Now whether this downside justifies the massive problem it causes on false positives...

jerf29d ago

TXT can't be banned. There are several RFCs that require TXT records, such as DKIM configuration, DMARC configuration, and it is extensively used for verification by things like AWS SES, Microsoft Office, and all kinds of things. It's built into many standards and used by all kinds of other entities for all kinds of perfectly legitimate things.

roblabla28d ago

Did you read my reply without reading the parent I was replying to? I’m talking about not allowing a blocked domain from being able to add new TXT entries as the parent was suggesting. Of course TXT shouldn’t be banned entirely…

dathinab29d ago

yes, but in that cases we are on the "this (should) involve a criminal investigation" level not on a "Google Safe Search" doesn't trust you level

j / k navigate · click thread line to collapse