jeffshultz@wvi.com (Jeff Shultz) writes:
As I see it, the problem at hand is the current Windows 0day. What Gadi is doing is concentrating on a tactic it is using to justify solving what he sees as a more general problem (DNS abuse) that could be used by an exploit to any operating system. By solving it, this could mitigate future problems.
the more general problem is hard to agree about. i think it's that every day neustar and afilias and verisign and the other TLD registries handle many millions of new-domain transactions, most of which will never be paid for ("domain tasting") and most of which are being held with stolen credit cards. i don't know if these companies book the revenue ("ship bricks") or if this is just a hell hole of wasted time and money for them (or, both?) i do know that a small number of criminals and wastrels among the registrant and registrar communities are responsible for between 95% and 99.98% of each day's domain churn, and that most of the domains will never be used or will only be used for evil. some of the costs of this infrastructure-for-evil are passed on to the rest of the registrants, and all of the costs of the evil itself are passed on to the rest of humanity. now we can try to pour widescale poison on the domains we see used for evil, and hope that everyone who would like to be protected by that poison is able to get in on the action; or we can look at the registrars and registrants, and track their actions, and build a reputation system indicating who has done evil and who has irresponsibly or greedily profited from enabling evil. in the first case we have an infinite set of possible choke points; in the second we have a finite set. in the first case we have to pay the cost on every DNS lookup, in the second case we have to pay the cost on every DNS registration event.
We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run).
Does that sound about right?
that sounds exactly wrong. harkening back to my experience with "check-names" i can tell you that all i did was scare away a few alligators and the swamp remained. (probably the same was true of the original MAPS RBL.) what we've got in the DNS registry/registrar market today is as corrupt and abusable as the California electricity market was back in 2000-2001, and we're seeing the same kind of windfalls enjoyed by the same kind of assholes now as then. the system is ripe for policing, which icann has shown that they will not do. i want to see gadi in "ralph nader" mode, shining a light on all this, making it harder to profit from building the "infrastructure of evil." if that's what you meant by swamp-draining, then i apologize for misunderstanding you. -- Paul Vixie