On Tue, 3 Apr 2007, Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
[top-posting to maintain the entire context below]
I think Doug makes some good points here (with the exception of number 6)...
I just posted this, and I believe it makes sense: Title: Put Security Alongside .XXX Isn't security as important to discuss as .XSS? The DNS has become an abuse infrastructure, it is no longer just a functional infrastructure. It is not being used by malware, phishing and other Bad Things [TM], it facilitates them. Operational needs require the policy and governance folks to start taking notice. It's high time security got where it needs to be on the agenda, not just because it is important to consider security, but rather because lack of security controls made it a necessity. In discussion of my latest post, some folks on NANOG raised interesting ideas, such as: (these are displayed as I understood them) 1. Terminating domains found to be registered with stolen credit cards (raised by Chris Morrow) 2. Introducing a delay to registration (Douglas Otis) 3. Reviewing legacy engineering decisions (David Conrad) 4. A show of responsibility by Registries and Registrars to take care of bad domains (Paul Vixie) 5. Public shaming should be considered (Paul Vixie) 6. Closing the vulnerability with DNS should not be ignored just because bad guys will find something else to exploit (Hank Nussbacher) 7. Check out http://www.icann.org/participate/ (John Crain) As well as other ideas and contributors. I won't push my own here, there's enough already up there to keep us busy for a while. Whether these ideas are good remains to be seen, the fact is that we now discuss the issues. Some other conclusions were that the domain registration system and process are a significant part of the current on-going abuse of the DNS infrastructure. So, as important as the XXX TLD is, security should get as much attention, if not more. It's about the current policy which allows black hat registrars to exist (rather than controlling good ones - lower hanging fruit first?), as well as about the policy of registration and termination of domain names. It is about old policy no longer fitting today's threats, and, to a limited fashion, technology which needs to be revamped. Here is one of the latest emails in the NANOG thread, by me in reply to David Conrad. Things start to make sense now that flames and personal attacks have died down. [previous NANOG post here] Where do we go from here? If we do proceed, what legitimate business concerns stand to lose money? (or not earn as much?) Gadi Evron, ge@linuxbox.org.