I've found this conversation hugely of interest… The below isn't really a question, more of a high level clarification/further thinking. First, what actually happened and the impact (correct me if any of this is wrong): A stupid phishing complaint to NetSol by a 3rd party got he.net put into client hold. As a result, assuming there is no cache protection, name servers around the world trying to lookup anything.he.net were failing because ROOT servers said go to NetSol for .net, and netsol had no answer for he.net due to client hold. This means: 1. he.net <http://he.net/> website would have been down regardless if their Auth NS was split Auth and split across TLDs 2. customer.com <http://customer.com/> website would be down is customer.com used NS1.HE.NET <http://ns1.he.net/> and NS2.HE.NET <http://ns2.he.net/> as Auth DNS because that resolution would fail due to he.net <http://he.net/> being clienthold at NetSol 2.a. customer.com <http://customer.com/> website would be UP if customer.com <http://customer.com/> used NS1.HE.NET <http://ns1.he.net/> and NS2.HE.ORG <http://ns1.he.org/> as Auth DNS… assuming HE implemented secondary NS servers on another TLD, or secondary was Cloudflare or something. Obviously the root cause was a glitch, but if it wasn’t a phishing report it could have been any other number of human errors, billing issue, internal NetSol glitch/fat fingering, etc.,. something requiring human intervention - which is hard to do these days because nobody has a 24x7 NOC with real people who can make real changes. #2 could have been protected by #2A, but as others have said #1 isn’t really possible to 100% protect against. Yes, HE could get and use their own vanity TLD at huge expense (say .he TLD) and since they control it a glitch like this cant burn them, but you just trade risk because now you have to maintain the infra of this TLD. So #1’s the easiest fix - just use MarkMonitor. Ok…. now a rabbit hole. I looked at some vanity TLDs, and it appears the ALOT of big companies have their names as TLDs, but almost none of them are using it for anything. Why is that? Is it just a copyright play to protect the name from some else taking it? Then it got me interested, assuming a company already has the infra, what is a realistic cost to get your own TLD and actually use it for yourself (and maybe others)? I saw something online that said $250,000 but that didn’t make sense if its all paperwork. Again, this assumes you already have infra to use. -John
On Jul 5, 2024, at 5:18 AM, Bill Woodcock <woody@pch.net> wrote:
On Jul 5, 2024, at 09:53, Jeroen Massar via NANOG <nanog@nanog.org> wrote: Please note that: - Markmonitor is owned by Newfold Digital / Endurance International [1] - Network Solutions is owned by Web.com <http://web.com/> [2] - Web.com <http://web.com/> is... owned by Newfold Digital [3]
And... we all still have ICANN as an ultimate power, and the TLD itself, next to the above registrar.
There is always going to be single point of failures in a hierarchical tree like that.
Taking off on what Jeroen is saying here… A huge amount of PCH’s work is with TLD registries. Much of that is ccTLDs, national domains, but a fair bit is also with brand TLDs. I think a lot of people are dismissive of brand TLDs, thinking “oh, that’s just trademark protection.” And MarkMonitor and CSC were, admittedly, a part of the reason why people treat them dismissively. The majority of brand TLDs lie fallow, with little to no use.
That’s unfortunate, because a TLD of its own is one of the VERY BEST things an organization can do to reduce security externalities. It’s a really foundational building-block in modern security. You can do DNSSEC and DANE and use all of the security tools and processes that build upon those, without having to depend upon the (largely non-existent) security of the registrar-registry chain. There are more protocols and tools coming down the pike that build further on that foundation. There are browsers coming which will trust the existence or non-existence of a DANE cert, without allowing a downgrade attack to a bogus CA cert. There are Digital Emblems coming (participate in the BoF at the IETF if you care!). That leaves you with just the one (?) externality of the IANA (and the RZM agreement) which, yeah, you’re not going to get past. But that’s done very, very securely, so if you have to trust one external party, at least they’re _competent_ and well-funded and not going to get acquired by a Florida Man private-equity outfit.
ICANN’s going to open another round of TLD applications, and I expect a lot of companies to go into that with their eyes more open than last time, knowing why they’re doing it. It’s not about brand protection, it’s about disintermediating the root of trust and giving yourself a solid foundation for your security architecture.
-Bill