Date: Mon, 2 Apr 2007 21:09:24 -0500 (CDT) From: Gadi Evron <ge@linuxbox.org> Subject: what registrars need to do with no incentive [was: Re: On-going ..]
On Mon, 2 Apr 2007, Robert Bonomi wrote:
From: David Conrad <drc@virtualized.org> Subject: Re: On-going Internet Emergency and Domain Names Date: Mon, 2 Apr 2007 17:33:08 -0700
On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote:
The recommendation was for registries to provide a preview of the next day's zone.
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes.
This is getting far afield from 'network operations', but the underlying issue is really quite simple: There are *NO*PENALTIES* for registering 'bogus' domains. The registry operator has -no- (financial) incentive to investigate, nor remove, a 'falsified' entry. Once a name is in the database, _anything_ affecting it is an 'un-necessary expense' to the registry operator.
Similarly, there is no dis-incentive to a registrar wih regard to _filing_ a bogus registration with a registry.
Or policy.
Yes, there _is_ policy against it. In the case of ICANN-controlled domains, it is a breach of the registrar's contract with the registry operator. It is also a breach of the registrant's contract with the operator. Those things provide a 'cause' for which the registrar can cancel the registration of the domain. *IF*THEY*CHOOSE*TO*. But, they, -currently- have little-to-no incentive _to_ do so. Handling complaints, and cancelling domains is, unfortunately, and 'added expense' to a registrar. If that expense can be avoided, the "bottom line" looks better. The registry operator has no financial incentive to penalize those from whom it derives its revenues (i.e. the registrars). The truth of -that- statement should be self-evident. Nor, at the current price-point, the resources to verify the data presented. The registrar suffers no penalties for the 'occasional' breach. And has no compelling financial reason to 'throw good time/effort after bad' by taking punitive action 'after the fact' -- by doing nothing, it is an 'avoidable expense' that improves bottom-line results. Change the 'environment' -- so that it *IS* in the financial interest of the registrars and registry operators to run a 'clean house', and the issues of 'dirty operations' will disappear. One doesn't _have_ to worry about 'how' to make it happen -- the 'interested parties' *will* figure that out for themselves. Registrars, and registry operators, are *NOT* 'altruistic' entities, however much we might 'wish' that is the case. They are commercial entities, and, as such, their own 'self-interest' is their _primary_ interest. The current 'problem' is that what is 'best for those operators' is _not_ what is 'best for the community'. The fix *IS* to 'change the rules' so that the 'self-interest' of those 'core players' _is_ aligned with what is 'best for the community'. The simplest way to accomplish that is to make it 'more expensive' to "do it wrong", than it is to "do it right". This is stuff that one _should_ be able to 'sell' to ICANN, and get incorporated (at the very worst) in the next round of registry-operator renewal contracts, with 'pass through' to registrar contracts taking effect in an additional 30 days, or so. Structured right, making 'cleaning house' a _revenue_source_ for the registry operator, and they will _very_likely_ "agree" to modification of the existing contracts to spport the additional revenues. Meaning that one would -not- have to wait for contract renewals to implement. Not to belabor the obvious, but the Internet is a _co-operative_ venture. There is *no* 'strong central authority' that can 'dictate' terms that everyone must follow. What 'control' there is exists _only_ because almost all the players _voluntarily_ agree to play by the same rules. If enough players become 'dis-satisfied' with what the 'control' does, then that authority will disappear, and be replaced by 'something else'. "Comes the Revolution, things will be different -- not necessarily better, but different" will apply. And there will be -no- going back, even if people decide they -don't- like te revolutionary world better. Reconize that what you are dealing with is a 'political' problem -- it's roots are in the way _people_ behave. 'Technical' fixes to 'people' problems are doomed -- the world will invent a more efficient fool.
Address _these_ issues, and the domain names "problem" will effectively disappear.
One _possible_ approach to dealing with the problem: 1) registry includes in it's contract with registrars a (non-trivial) $$ penalty for any registration filed that is found to contain invalid information.
And work a bit harder to make sure the information is valid. This can mean higher costs, of course.
You cannot mandate how hard somebody must work. It doesn't work. Make it 'expensive enough' to be wrong, and *then* they will make the necessary effort to be 'right'.
2) 'formal complaints' to registrar about invalid information must include a 'filing fee' forthe complaint. If the complaint is in-accurate, the filer loses their filing fee. HOWEVER, if the complaint _is_ valid, the _original_ filer gets back _more_ than their fee (paid out of the 'fine', see item 1, above, assessed against the registrar) while any additional complainants get all their original money returned. Possible variation: the size of the fine assessed against the registrar for a 'confirmed' complaint depends on the number of complaints recieved within some 'reasonable' time of the first complaint -- and all complaints within that 'window' get the 'bounty' for a valid compliant. 3) Registrars are charged a _sliding-scale_ of fees, with higher fees based on the numbers and/or percentages of 'bogus' registrations submitted recently. (This is similar to the way 'unemployment taxes' are assessed in the U.S. If there are more claims against your company, you pay a higher rate than similar firms with lower claims.) 4) Registrars with higher rates of 'invalid' submissions are _rate- limited_ as to how fast they can submit registrations.
Bulk registration should be limited, or at the very least regulated.
Impossible to make effective. Too many big operations have legitimate basis for registrering large numbers of domains. Usually on behalf of clients. You cannot differentiate, _at_the_registry_operator_level_ between a submission of 10,000 names on behalf of 10,000 legitimate clients, and a submission of 10,000 names on behalf of 10,000 forged client-names, all controlled by the same criminal entity. You cannot rely on the 'good intentions' of registrars -- it is well known that several registrars are controlled by 'bad guys'.
Suspending domains registered with a stolen CC (as mentioned) seems natural, doesn't it?
Honest answer, "no". Does it accomplish anything? If a credit card has -already- been reported stolen, and the registrar is doing real-time charge authorization (and I don't know of any incompetent enough -not- to be so doing), the domain registration fails. OTOH, If the card has *not* been reported stolen, it is *weeks* before the fact of the stolen card is _discovered_. With the 'professional bad guys' only expecting to get a few days, to maybe one week, before the name is widely blocked, cancelling the name weeks -later- will have no significant effect. So, just what 'benefit' does this "natural" idea buy? The registry operator doesn't know (and doesn't care) how the registrant paide the registrar. They don't have the information to investigate, or act. And, they "don't care" -- they _have_ been paid, by the registrar, whether or not the registrar got 'stiffed' by the registrant. The registrar is _already_ out the registry fee for the domain, with no possible further revenues from that customer account. _WHY_ should they go to the 'extra expense' of spending the time/effort to cancel the domain that is probably not even being used any more? Something as 'trivial' as closed-loop e-mail confirmation (a la 'best practice' for mailing-list sign-up) would likely have a much bigger impact on fraudulent registrations. Especially if 'freemail', and 'anonymous' accounts are not allowed to be used for 'confirmation'. An additional requirement that the IP address from which the registration submission originates have rDNS that is in the same domain as the confirmation address. would go a *LONG* way towards providing some 'accoutability' in the domain registration process. One other alternative is to require a 'certificate' of identity (a la X.509) to register a domain name. With a certificate "revocation" resulting in automatic cancellation of all domains registered under it. This provides a degree of tracability/accountability to the registration process, _and_ 'raises the bar' for fraudulent operators, by tieing their operations together, _or_ greatly increasing the lead-time _and_ cost of setting up false-front domains.
Underlying assumptions: A) The 'filing fee' approximates the registry operator cost of performing a basic investigation. B) The 'fine' assessed against a registrar is signficantly higher than the actual 'cost' of the investigation. C) A registrar that has higher per-registration costs is at a competitive disadvantage to those who can provide equivalent service at a lower price. D) A registrar who has to say "We'll take your application now, but we can't tell you for xx hours (or days) if your application for that name was successful" is at a competitive disadvantage to one who can tell you _now_ 'your application was successful'.
*THIS* gives the registry operator an incentive to 'clean house' -- finding and eliminating 'problem listings' is a REVENUE SOURCE.
Similarly, registrars have an incentive to ensure that their _own_ house is clean. Lack of diligence costs them extra money, -and- places them at a disadvantage relative to their competition.
'White-hat' registrars can do something similar with regard to registrants. Registrants fall into three broad categories; (a) those who have never filed before, (b) those who _do_ have a history of problem-free filings, and (c) those who have a history of filings where there have been some problems.
Those with a 'no problems' history are processed in an expedited manner, suject to checks for 'abnormal' behavior -- e.g. a radical increase in the number/rate of submissions.
Those with no histories are subjected to additional cross-checking/ verification, and, possibly, higher 'new user' charges.
Those with 'problematic' histories get deferred, surcharged, and/or rate- limited processing.
One can 'tune' the rate schedules for 'new users', and 'problematic' filers, to reflect the "risk level" that the registrar is willing to incur, -with- the recogition that registrar-level penalties imposed by a registry operator will affect _all_ registrations through that registrar, not just 'problematic' ones.