Re: ICANNs role [was: Re: On-going ...]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [top-posting to maintain the entire context below] I think Doug makes some good points here (with the exception of number 6)... - - ferg - -- Douglas Otis <dotis@mail-abuse.org> wrote: On Apr 2, 2007, at 7:02 PM, Gadi Evron wrote:
On Mon, 2 Apr 2007, David Conrad wrote:
On Apr 1, 2007, at 8:45 AM, Gadi Evron wrote:
The one concrete suggestion I've seen is to induce a delay in zone creation and publish a list of newly created names within the zone. The problem with this is that is sort of assumes:
What are your thoughts on basic suggestions such as: 1. Allowing registrars to terminate domains based on abuse, rather than just fake contact details.
This requires a separate agency tasked to respond to reports of crime. Registrars have a conflict of interest (they want to be profitable). Even answering the phone to deal with this type of problem costs more than a registration is worth. Hence, it is easier to establish domain tasting which essentially drops this entire problem into someone else's lap.
2. Following these incidents as they happen so that YOU, in charge, can make these suggestion?
Often enforcement policies begins with a complaint. But who is taking the role of enforcement?
3. For true emergencies threatening the survivability of the system, shoudln't we be able to black-list a domain in the core?
It would be nice if there were an agency that had a mechanism in place for routinely yanking domains that pose a public threat. Who would you trust in that role? Unfortunately, the US has lost their credibility as loudly echoed on this list.
4. Black lists for providers are not perfect, but perhaps they could help protect users significantly?
Black-hole or block-lists is where protection can be introduced, political push back will thwart centralized enforcement. To support this mode of operation, a preview mode of operation would be highly beneficial. Currently bad actors will keep such efforts in a futile feckless reactive mode.
5. Enforcing that registrars act in say, not a whitehat fashion, but a not blackhat fashion?
Of course a bad registrar might warrant greater scrutiny. At what point would all their customers need to find a different registrar?
6. Yours here?
Perhaps only banks should be allowed to act as registrars? At least they know how to check physical IDs. - -Doug -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEc7Vq1pz9mNUZTMRAtoyAKDHDvGL6rvC+tKjlfrN0T09f4JjGACg+GBa rARiLG+Oj2UY1y1EFjqPlA8= =PJHj -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Tue, 3 Apr 2007, Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
[top-posting to maintain the entire context below]
I think Doug makes some good points here (with the exception of number 6)...
I just posted this, and I believe it makes sense: Title: Put Security Alongside .XXX Isn't security as important to discuss as .XSS? The DNS has become an abuse infrastructure, it is no longer just a functional infrastructure. It is not being used by malware, phishing and other Bad Things [TM], it facilitates them. Operational needs require the policy and governance folks to start taking notice. It's high time security got where it needs to be on the agenda, not just because it is important to consider security, but rather because lack of security controls made it a necessity. In discussion of my latest post, some folks on NANOG raised interesting ideas, such as: (these are displayed as I understood them) 1. Terminating domains found to be registered with stolen credit cards (raised by Chris Morrow) 2. Introducing a delay to registration (Douglas Otis) 3. Reviewing legacy engineering decisions (David Conrad) 4. A show of responsibility by Registries and Registrars to take care of bad domains (Paul Vixie) 5. Public shaming should be considered (Paul Vixie) 6. Closing the vulnerability with DNS should not be ignored just because bad guys will find something else to exploit (Hank Nussbacher) 7. Check out http://www.icann.org/participate/ (John Crain) As well as other ideas and contributors. I won't push my own here, there's enough already up there to keep us busy for a while. Whether these ideas are good remains to be seen, the fact is that we now discuss the issues. Some other conclusions were that the domain registration system and process are a significant part of the current on-going abuse of the DNS infrastructure. So, as important as the XXX TLD is, security should get as much attention, if not more. It's about the current policy which allows black hat registrars to exist (rather than controlling good ones - lower hanging fruit first?), as well as about the policy of registration and termination of domain names. It is about old policy no longer fitting today's threats, and, to a limited fashion, technology which needs to be revamped. Here is one of the latest emails in the NANOG thread, by me in reply to David Conrad. Things start to make sense now that flames and personal attacks have died down. [previous NANOG post here] Where do we go from here? If we do proceed, what legitimate business concerns stand to lose money? (or not earn as much?) Gadi Evron, ge@linuxbox.org.
On Mon, Apr 02, 2007 at 10:56:00PM -0500, Gadi Evron wrote: ...
I just posted this, and I believe it makes sense:
Title: Put Security Alongside .XXX
Isn't security as important to discuss as .XSS?
The DNS has become an abuse infrastructure, it is no longer just a functional infrastructure. It is not being used by malware, phishing and other Bad Things [TM], it facilitates them.
Again - DNS is the infrastructure for EVERYTHING. It facilitates EVERYTHING. If you threw it out and put something else in that was not as clunky as editing hosts.txt files 'scp'ed from DARPA daily, then THAT would be what was facilitating everything.
Operational needs require the policy and governance folks to start taking notice.
It's high time security got where it needs to be on the agenda, not just because it is important to consider security, but rather because lack of security controls made it a necessity.
Completely separately from your personal views on DNS, the above are quite true. -- Joe Yao Analex Contractor
Again - DNS is the infrastructure for EVERYTHING. It facilitates EVERYTHING.
Not so. On the public Internet applications like Edonkey and Emule work fine without it. We run a global IP network that is not connected to the public Internet and over 90% of our customers' applications don't use any DNS. They use IP addresses directly. DNS is only a facilitator for those applications that WANT to use it. And even though most current applications want to use DNS, they usually function just fine with straight IP addresses. DNS is more of a habit, than a necessity. If the users of the Internet, collectively, decide that DNS is a bad habit, better to be avoided, then you will see more and more applications that work around the DNS. Like ICQ. Or they will only use the DNS minimally in order to root their own namespaces, like LDAP with RFC 2247. --Michael Dillon
On Tue, Apr 03, 2007 at 09:16:47PM +0100, michael.dillon@bt.com wrote:
Again - DNS is the infrastructure for EVERYTHING. It facilitates EVERYTHING.
Not so. On the public Internet applications like Edonkey and Emule work fine without it. We run a global IP network that is not connected to the public Internet and over 90% of our customers' applications don't use any DNS. They use IP addresses directly.
Fair. If you have a small or stable enough private network that you don't need to use DNS to look up things that might be different from time to time, or to send e-mail by looking up where that mail goes, this works. I don't think it scales. And at least one person claimed not to be using DNS at all ... I suspect he just didn't know how it was priming his engine.
DNS is only a facilitator for those applications that WANT to use it. And even though most current applications want to use DNS, they usually function just fine with straight IP addresses. DNS is more of a habit, than a necessity.
So is using the decimal system rather than counting sticks. But it sure makes things doable versus insurmountable.
If the users of the Internet, collectively, decide that DNS is a bad habit, better to be avoided, then you will see more and more applications that work around the DNS. Like ICQ. Or they will only use the DNS minimally in order to root their own namespaces, like LDAP with RFC 2247.
Lots of little edge apps. No core scalability. -- Joe Yao Analex Contractor
Joseph S D Yao wrote:
On Mon, Apr 02, 2007 at 10:56:00PM -0500, Gadi Evron wrote: ...
I just posted this, and I believe it makes sense:
Title: Put Security Alongside .XXX
Isn't security as important to discuss as .XSS?
The DNS has become an abuse infrastructure, it is no longer just a functional infrastructure. It is not being used by malware, phishing and other Bad Things [TM], it facilitates them.
Again - DNS is the infrastructure for EVERYTHING. It facilitates EVERYTHING. If you threw it out and put something else in that was not as clunky as editing hosts.txt files 'scp'ed from DARPA daily, then THAT would be what was facilitating everything.
Maybe it would make sense for someone to reiterate what types of abuse DNS is facilitating? I believe what Gadi was getting at was mainly the ability to use fake details to register a domain, and then very rapidly cycling the A records through a wide range of hosts, attempting to avoid detection. As opposed to there actually being fundamental flaws open to abuse in a system that maps names to IP addresses. Sam
On Tue, Apr 03, 2007 at 11:29:27PM +0100, Sam Stickland wrote: ...
Maybe it would make sense for someone to reiterate what types of abuse DNS is facilitating? I believe what Gadi was getting at was mainly the ability to use fake details to register a domain, and then very rapidly cycling the A records through a wide range of hosts, attempting to avoid detection. As opposed to there actually being fundamental flaws open to abuse in a system that maps names to IP addresses. ...
Which is mostly a policy / procedure problem rather then a DNS problem, eh? -- Joe Yao Analex Contractor
On Apr 3, 2007, at 3:29 PM, Sam Stickland wrote:
Maybe it would make sense for someone to reiterate what types of abuse DNS is facilitating? I believe what Gadi was getting at was mainly the ability to use fake details to register a domain, and then very rapidly cycling the A records through a wide range of hosts, attempting to avoid detection. As opposed to there actually being fundamental flaws open to abuse in a system that maps names to IP addresses.
Despite doubts several stated about creating a fairly comprehensive view of the Internet landscape, dedicated systems working in unison do keep fairly close tabs on what is what. Threat information is then pushed to the edge (as some would call it). The abuse of registries has been able to thwart the effectiveness in dealing with much of the threat landscape as it undergoes a transformation every few minutes. The latency in distributing threat information prevents its protection from being as effective as it should be when facing undefined threats within a rapidly transforming environment. No one wants to wait for security checks while browsing. This information must be preprocess and "at the ready", or the Internet starts to feel rather slow and broken. By slowing down registry updates and even providing a preview of upcoming changes will allow security to become much faster in providing comprehensive answers, and make browsing seem unimpaired (as it should be). There is no need for rapidly unannounced updates by the registries. Getting a commerce site set up in milliseconds all to often benefits those wishing to abuse this immediacy. Would it really be that hard to say "Confirm the operation of DNS for this website at this time tomorrow."? Just because this information can be published within a few milliseconds, does not make doing so a good idea. It would be a better for security reasons to offer this information for review first well before it goes "live". The price for pushing protective information to the edge by just one company fighting this blitz krieg is simply astounding. In addition, there are costs incurred by the reduced protection caused as well. Whether it is click fraud, botnets C&Cs, phishing sites, etcetera, etcetera. Slowing registries and offering a preview can dramatically shift the balance in this faltering struggle. There are many security concerns that can make extremely good use of this information without depending upon some centralized policing that never seems to be sufficient or effective as to be noticeable. It is not obvious how the daily 5 million domain name churn driven by an astounding high level of fraud and identity thief can be slowed. Perhaps we will all soon need a cryptographic fob instead of a wrist watch to accompany our other pieces of identification. Stabilizing the landscape can better ensure system owners have a better idea when they are entering dangerous territory. This alone should help them keep their systems as safe as possible in the face of unknown threats. Tracking all this information may seem daunting, but is there any other practical alternative? -Doug
No one wants to wait for security checks while browsing. This information must be preprocess and "at the ready", or the Internet starts to feel rather slow and broken. By slowing down registry updates and even providing a preview of upcoming changes will allow security to become much faster in providing comprehensive answers, and make browsing seem unimpaired (as it should be).
There is no need for rapidly unannounced updates by the registries.
That simply isn't true. It is more reasonable to say that "there is no need for rapid /and/ frequent updates" and to put some limits in place. One fine day, I got involved with an ISP client handling a most unusual situation. They had been contacted by some folks at United Media who were in a panic because they had botched a registry update, putting in IP addresses that did not work. As it happens, one of the IP's in question was in an outsourced dial pool in Rockford, IL (IIRC - maybe Beloit) and they had the imagination to call the ISP in question. We set up a static IP, dialed in, and watched port 53 data stream in at the full line speed. Everyone in the world who was looking for Dilbert and other United Media properties was of course talking to resolvers that were in turn banging on that IP. Well, answering with much larger packets through the dialup wasn't practical, and the ISP's upstreams had ingress filtering, but I did manage to set up a VPN over to our networks where we control our own filtering and our upstreams didn't do any ingress. We ended up fixing them a handful of hours after their error. We watched the DNS traffic dwindle over the next two days, and eventually hung up. ;-) Obviously they had updated their info as soon as they could, but the .com zone wasn't updated for almost another day (or was it two?) Now, the reality is, accidents do happen. However, they happen infrequently enough that you probably do not need to be able to change your nameservers through the web interface and have them reflected 5 seconds later. I do think that it would be very valuable to have the capability to call someone at a registrar to deal with issues like this for the infrequent times that it is needed, or perhaps allow one such change per week(?) through the web interface. Let us not get so intent on "getting the bad guy" that we damage the innocent at the same time. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
At 09:41 PM 4/3/2007, you wrote:
No one wants to wait for security checks while browsing. This information must be preprocess and "at the ready", or the Internet starts to feel rather slow and broken. By slowing down registry updates and even providing a preview of upcoming changes will allow security to become much faster in providing comprehensive answers, and make browsing seem unimpaired (as it should be).
There is no need for rapidly unannounced updates by the registries.
That simply isn't true.
It is more reasonable to say that "there is no need for rapid /and/ frequent updates" and to put some limits in place.
One fine day, I got involved with an ISP client handling a most unusual situation. They had been contacted by some folks at United Media who were in a panic because they had botched a registry update, putting in IP addresses that did not work. As it happens, one of the IP's in question was in an outsourced dial pool in Rockford, IL (IIRC - maybe Beloit) and they had the imagination to call the ISP in question.
We set up a static IP, dialed in, and watched port 53 data stream in at the full line speed. Everyone in the world who was looking for Dilbert and other United Media properties was of course talking to resolvers that were in turn banging on that IP.
Well, answering with much larger packets through the dialup wasn't practical, and the ISP's upstreams had ingress filtering, but I did manage to set up a VPN over to our networks where we control our own filtering and our upstreams didn't do any ingress. We ended up fixing them a handful of hours after their error. We watched the DNS traffic dwindle over the next two days, and eventually hung up. ;-)
Obviously they had updated their info as soon as they could, but the .com zone wasn't updated for almost another day (or was it two?)
Now, the reality is, accidents do happen. However, they happen infrequently enough that you probably do not need to be able to change your nameservers through the web interface and have them reflected 5 seconds later. I do think that it would be very valuable to have the capability to call someone at a registrar to deal with issues like this for the infrequent times that it is needed, or perhaps allow one such change per week(?) through the web interface.
Let us not get so intent on "getting the bad guy" that we damage the innocent at the same time.
So, an "oops, I screwed up, and am in a panic" fee, of, say $100 and a quick but accurate identity check combined would take care of such an emergency. The fee would pay for the expense of the identity check, and perhaps provide a bit of profit for the registrar. This seems reasonable and workable. Or the fee could just be an extra profit for registrar and registry, raise the cost of doing business for the abusers, and also be workable.
So, an "oops, I screwed up, and am in a panic" fee, of, say $100 and a quick but accurate identity check combined would take care of such an emergency. The fee would pay for the expense of the identity check, and perhaps provide a bit of profit for the registrar. This seems reasonable and workable. Or the fee could just be an extra profit for registrar and registry, raise the cost of doing business for the abusers, and also be workable.
What purpose does an identity check serve? How do you verify the identity? If a domain name is already registered, what value is there to the "identity" check? What identity are you verifying? The individual requesting the update? The company? What happens when you find yourself unable to navigate the County Clerk's office at 5:01PM to look up that fictitious name filing? If you want to establish identities, the time to do that is at registration time - not crunch time. Why not simply limit updates? As a method for stopping rapid update abuse, limits would seem to be highly effective. Possible policy: You get two "instant updates" a month. This is sufficient to handle a change of nameserver, plus a correction for the inevitable error. Further updates are allowed once every two days, similar to past policy. Or maybe even less. If you need more "instant updates," you pay a fee to the registrar, who can be made to have an interest in making sure that the transaction is not a fraud. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Why not make it so that instant updates require a human to show up in person somewhere and give their fingerprint. (there are a huge number of businesses out there that make a living handling transactions where identity matters (think western union, etc), perhaps some of them would be happy to have the business. the fees involved could cover their costs and some profit) To maintain access I would let many businesses participate in the front end of this (I can pay my phone bill at a number of local businesses in person if I'm too much of a loser to get it done ahead of time with a bank account or credit card)... (This is probably a stupid idea for some reason I can't think of at the moment, but it seemed worth mentioning) On 4/3/07, Joe Greco <jgreco@ns.sol.net> wrote:
So, an "oops, I screwed up, and am in a panic" fee, of, say $100 and a quick but accurate identity check combined would take care of such an emergency. The fee would pay for the expense of the identity check, and perhaps provide a bit of profit for the registrar. This seems reasonable and workable. Or the fee could just be an extra profit for registrar and registry, raise the cost of doing business for the abusers, and also be workable.
What purpose does an identity check serve? How do you verify the identity? If a domain name is already registered, what value is there to the "identity" check? What identity are you verifying? The individual requesting the update? The company? What happens when you find yourself unable to navigate the County Clerk's office at 5:01PM to look up that fictitious name filing?
If you want to establish identities, the time to do that is at registration time - not crunch time.
Why not simply limit updates? As a method for stopping rapid update abuse, limits would seem to be highly effective.
Possible policy:
You get two "instant updates" a month. This is sufficient to handle a change of nameserver, plus a correction for the inevitable error.
Further updates are allowed once every two days, similar to past policy. Or maybe even less.
If you need more "instant updates," you pay a fee to the registrar, who can be made to have an interest in making sure that the transaction is not a fraud.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Tue, Apr 03, 2007 at 10:55:38PM -0500, Joe Greco wrote: ...
What purpose does an identity check serve? How do you verify the identity? If a domain name is already registered, what value is there to the "identity" check? What identity are you verifying? The individual requesting the update? The company? What happens when you find yourself unable to navigate the County Clerk's office at 5:01PM to look up that fictitious name filing?
If you want to establish identities, the time to do that is at registration time - not crunch time.
Hello, my name is Joe Greco, I made a bad mistake registering the IP addresses of dns1.sol.net, dns2.sol.net, dns4.sol.net, and dnsz.sol.net, and I need you to change them to 216.218.130.2, 216.218.131.2, 216.218.132.2, and 216.218.132.2, respectively. I have deposited $100 to you via PayPal to cover the sudden-change fee. Now YOU tell ME what purpose an identity check serves. ;-) -- Joe Yao Analex Contractor
On Tue, Apr 03, 2007 at 10:55:38PM -0500, Joe Greco wrote: ...
What purpose does an identity check serve? How do you verify the identity? If a domain name is already registered, what value is there to the "identity" check? What identity are you verifying? The individual requesting the update? The company? What happens when you find yourself unable to navigate the County Clerk's office at 5:01PM to look up that fictitious name filing?
If you want to establish identities, the time to do that is at registration time - not crunch time.
Hello, my name is Joe Greco, I made a bad mistake registering the IP addresses of dns1.sol.net, dns2.sol.net, dns4.sol.net, and dnsz.sol.net, and I need you to change them to 216.218.130.2, 216.218.131.2, 216.218.132.2, and 216.218.132.2, respectively. I have deposited $100 to you via PayPal to cover the sudden-change fee.
Now YOU tell ME what purpose an identity check serves. ;-)
Yes, that's nice, except that Joe Greco isn't authorized to do that. We're not talking about a system operating in a vacuum here. There are already established mechanisms for guarding domains. We're talking about rapid update authorization. So go ahead and tell me exactly what you've done, beyond enriching a registrar $100. (Incidentally, since we're the reseller, you probably just sent us the $100, so by all means, send us beer money.) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, Apr 04, 2007 at 02:05:41PM -0500, Joe Greco wrote: ...
Yes, that's nice, except that Joe Greco isn't authorized to do that. We're not talking about a system operating in a vacuum here. There are already established mechanisms for guarding domains. We're talking about rapid update authorization. ...
Sorry that you didn't understand at all. I explained it better in a later letter. -- Joe Yao Analex Contractor
There is no need for rapidly unannounced updates by the registries.
That simply isn't true.
You're right. Just like there is a very strong need for an airline that offers 5 minutes from curb to seat checkin service. The need exists but it ain't gonna be filled anytime soon because the government prohibits such things. The government mandates delays and multiple vetting processes between the time you step on the curb and the time you sit in your airplane seat. Same with buying a handgun in most states and in Canada. Same with opening a business in most jurisdictions. You have to go to cityhall and apply for a license first. Why should domain name registries be special and be exempt from these normal processes of vetting and registering?
Now, the reality is, accidents do happen. However, they happen infrequently enough that you probably do not need to be able to change your nameservers through the web interface and have them reflected 5 seconds later. I do think that it would be very valuable to have the capability to call someone at a registrar to deal with issues like this for the infrequent times that it is needed, or perhaps allow one such change per week(?) through the web interface.
We had a situation rather like that about 6 weeks ago and we did call Network Solutions and they did fix the problem by putting the lame nameservers back in the .COM zone where the customer wanted them to be. I believe the customer switched registrars in order to make sure that their lame nameservers stayed lame. So at least some registrars do have helpdesks available by phone who can get wierd issues sorted out for you. --Michael Dillon
There is no need for rapidly unannounced updates by the registries.
That simply isn't true.
You're right. Just like there is a very strong need for an airline that offers 5 minutes from curb to seat checkin service. The need exists but it ain't gonna be filled anytime soon because the government prohibits such things. The government mandates delays and multiple vetting processes between the time you step on the curb and the time you sit in your airplane seat.
Well, if you're going to say that, then at least be honest and concede that the government has also recognized the need, and has been working towards filling it with the TSA's "Registered Traveler" program, which was designed to pretty much allow a traveler to go to an airline kiosk, pick up a ticket, and make it through security fairly rapidly. Five minutes is overly optimistic, but more due to the size of your average airport than due to the amount of time expected to be consumed by the process.
Same with buying a handgun in most states and in Canada. Same with opening a business in most jurisdictions. You have to go to cityhall and apply for a license first. Why should domain name registries be special and be exempt from these normal processes of vetting and registering?
Well, again, then, let's play fair with the analogies. It may actually take a business day to open an LLC here, but once that's done, I can submit changes to the registered office as frequently as I want. It may take a little time for the state to process them, but that's not due to any special "vetting" process that I'm aware of, it's a legacy of the fact that the systems aren't all-electronic yet. If you actually look at why businesses have to register, it has more to do with collecting various taxes and/or maintaining records than it does with "vetting." A sole propietorship here in WI has minimal obligations and in many cases need not file much of anything in order to do business. LLC records with the state need not list the members. The state wants to collect their sales tax, for that you need a sales and use tax permit. If you want to rent space, that's another set of fee-related issues. Etc. So I find that argument weak at best. Of course, I have yet to see a criminal shoot anyone with a domain name, or a hijacker take over a plane with one. These are very serious real world events involving injury and/or death, and as such, some additional care may be warranted, which is doubtless why registration is required to buy a handgun, why there are metal detectors and anti-terrorist programs at airports, etc. To be needing to reach to such levels to justify your argument is not particularly compelling, especially when it is easy enough to poke holes in it anyways. If you seriously want to propose something: If you're going to do any vetting, the time to do it is at registration, not at crunch time. Limiting rapid updates makes sense. Eliminating them does not. Fixing the brokenness which allows for domain tasting makes perfect sense. Designing a system which doesn't allow for some level of anonymity (let's say for whistleblower/bloggers) requires some serious debate that goes far beyond "what are the security implications." Etc. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
If you're going to do any vetting, the time to do it is at registration, not at crunch time.
The bulk of the discussion over the past few days was directed at the practice of rapid updates of BRAND NEW DOMAIN NAMES. Clearly this is entirely separate from the issue of updating information for an established domain name.
Designing a system which doesn't allow for some level of anonymity (let's say for whistleblower/bloggers) requires some serious debate that goes far beyond "what are the security implications."
That is really a separate issue. This discussion is about limiting the damage caused by domains which do rapid NS switching. If we know which domains are new, DNS operators could put them on probation and only allow a minimum TTL of 1 day on those names. The domain owner can still switch NSes but the queries won't chase him, therefore he will sell less product and quickly stop doing NS switching. If he's not NS switching then it is easier to track him down, blackhole him, filter him, whatever. --Michael Dillon
If you're going to do any vetting, the time to do it is at registration, not at crunch time.
The bulk of the discussion over the past few days was directed at the practice of rapid updates of BRAND NEW DOMAIN NAMES. Clearly this is entirely separate from the issue of updating information for an established domain name.
So... the obvious solution is to start requiring all sorts of odd and strange vetting requirements? I can't even figure out what problem that is trying to solve. The problem of rapid updates for brand new domain names is not entirely separate from that of established ones. In many cases, established ones can be caught at auction and the created date never gets updated. Further, in the future, if you think about what the response is likely to be, those who are doing bad things will simply allow their domains to age the necessary year (or whatever) to get around your differentiation between "new" and "established." So really this boils down to limiting automated updates to nameservers. "I believe I made that suggestion previously." Hmm.
Designing a system which doesn't allow for some level of anonymity (let's say for whistleblower/bloggers) requires some serious debate that goes far beyond "what are the security implications."
That is really a separate issue.
Not really, but it requires a broad view of the bigger picture.
This discussion is about limiting the damage caused by domains which do rapid NS switching. If we know which domains are new, DNS operators could put them on probation and only allow a minimum TTL of 1 day on those names. The domain owner can still switch NSes but the queries won't chase him, therefore he will sell less product and quickly stop doing NS switching. If he's not NS switching then it is easier to track him down, blackhole him, filter him, whatever.
Expecting all (or even a significant fraction) of the DNS operators in the world to do this in order to combat phishing is simply insane. If that's what you're suggesting, I'll counterpropose space based lasers with HAL9000 intelligences to roast the culprits off the face of the earth. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Apr 4, 2007, at 11:57 AM, <michael.dillon@bt.com> <michael.dillon@bt.com> wrote: [SNIP]
That is really a separate issue. This discussion is about limiting the damage caused by domains which do rapid NS switching. If we know which domains are new, DNS operators could put them on probation and only allow a minimum TTL of 1 day on those names.
All that this means is that domains will be registered and sit idle (or host a web server for domain parking, useless content to make it look legitimate, etc.) until the probation period is up. Then it be converted into a rapid NS switching domain used for whatever...
The domain owner can still switch NSes but the queries won't chase him, therefore he will sell less product and quickly stop doing NS switching. If he's not NS switching then it is easier to track him down, blackhole him, filter him, whatever.
--Michael Dillon
On Wed, Apr 04, 2007 at 10:06:18AM -0500, Joe Greco wrote: ...
If you seriously want to propose something:
If you're going to do any vetting, the time to do it is at registration, not at crunch time.
If what you're talking about is the identity of the person registering, yes. If what you're talking about is the identity of the person submitting the request for change, no. If you do the former, and can establish (what is today's password, please?) that the latter is the former, then you have done the latter fairly quickly and easily - and can trace any abuse or attempted perfidy [such as I was trying to do to you in the last message].
Limiting rapid updates makes sense. Eliminating them does not.
Yes.
Fixing the brokenness which allows for domain tasting makes perfect sense.
Yes.
Designing a system which doesn't allow for some level of anonymity (let's say for whistleblower/bloggers) requires some serious debate that goes far beyond "what are the security implications."
Yes.
Etc.
-- Joe Yao Analex Contractor
offers 5 minutes from curb to seat checkin service. The need exists but it ain't gonna be filled anytime soon because the government prohibits such things. The government mandates delays and multiple vetting processes between the time you step on the curb and the time you sit in your airplane seat. And government interference has been such a boon for the airlines and air
travelers? Or just about any industry for that matter? Come on. Do you really want a group of people who think the Internet is a bunch of tubes telling you how things should be run?? God help us all if that happens.
Same with buying a handgun in most states and in Canada. Same with opening a business in most jurisdictions. You have to go to cityhall and apply for a license first. Why should domain name registries be special and be exempt from these normal processes of vetting and registering? Did you seriously, honestly, just compare a domain name to a handgun??????
I have NO idea what to say to this ... This was originally a much longer email but your statement made me realize the futility of my arguments... -Don
<michael.dillon@bt.com> writes:
Same with buying a handgun in most states and in Canada. Same with opening a business in most jurisdictions. You have to go to cityhall and apply for a license first. Why should domain name registries be special and be exempt from these normal processes of vetting and registering?
Analogies that compare to a postulated situation which is patently false are amusing, but non-constructive. You might wish to bone up on your understanding of US firearms law (preferably from a source other than CSI or Law & Order [insert standard disparaging comment about the mass media getting anything they cover, including the Internet, wrong here]) before you embarrass yourself with another faulty analogy involving guns. ---Rob (Senior NRA Training Counselor)
Analogies that compare to a postulated situation which is patently false are amusing, but non-constructive. You might wish to bone up on your understanding of US firearms law (preferably from a source other than CSI or Law & Order [insert standard disparaging comment about the mass media getting anything they cover, including the Internet, wrong here]) before you embarrass yourself with another faulty analogy involving guns.
People who take analogies as anything more than a rough approximation are amusing. The fact is that in some jurisdictions in the USA there is a cooling off period between the time when a person applies to buy a handgun and the time they recieve one. Canada is somewhat similar due to the need to file a Firearms Acquisition Certficate with the police. In both these cases, the rules were put in place to allow enough time for human beings to be alerted, and to intervene if necessary. Network operations is not all about technology. There are people there too and it is not unusual to accept the need for human beings to respond to an alert with some time delay. That's why SLAs have 4 hour time to repair clauses, etc. The situation with new domain name registrations is similar. Some people wreak havoc by leveraging the fact that the turnaround time is FASTER than human reaction time. Applying the same general solution that some authorities have applied to handgun purchases, is the answer. This has nothing whatsoever to do with handguns themselves. It has to do with the operational techniques used by the authorities which regulate handguns. Whether or not you agree with those authorities is irrelevant. The fact is that those authorities have goals and they apply certain processes to meet these goals. We can learn by studying the abstract without worrying overly much about the details of handgun sales. Details are only important in the field where you APPLY the knowledge learned, and in this case that is network operations. --Michael Dillon
participants (12)
-
Daniel Senie
-
Donald Stahl
-
Dorn Hetzel
-
Douglas Otis
-
Fergie
-
Gadi Evron
-
Joe Greco
-
Joseph S D Yao
-
michael.dillon@bt.com
-
Robert E. Seastrom
-
Sam Stickland
-
Warren Kumari