On-going Internet Emergency and Domain Names

Paul Vixie paul at vix.com
Sun Apr 1 05:22:07 UTC 2007


> > at the other end, authority servers which means registries and registrars
> > ought, as you've oft said, be more responsible about ripping down domains
> > used by bad people.  whether phish, malware, whatever.  what we need is
> > some kind of public shaming mechanism, a registrar wall of sheep if you
> > will, to put some business pressure on the companies who enable this kind
> > of evil.
> 
> I have done public shaming in the past, as you know. I'd rather avoid it
> if policy/technology can help out.

technology can help someone protect their own assets.  policy can help other
people protect their assets.  public shaming can motivate other people protect
their own assets.  YMMV.

> Conversationally though, how would you suggest to proceed on that front?

a push-pull.  first, advance the current effort to get registrars and
dynamic-dns providers to share information about bad CC#'s, bad customers,
bad domains, whatever.  arrange things so that a self-vetting society of
both in-industry and ombudsmen have the communications fabric they need to
behave responsibly.  push hard on this, make sure everybody hears about it
and that the newspapers are full of success stories about it.

then, whenever there's a phish or malware domain whose dyndns provider or
dns registrar is notified but takes no action, put it on the wall of shame.
something akin to ROKSO would work.  (in fact, spamhaus could *do* this.)
make sure that the lack of responsible takedown is a matter of public record
and that a sustained pattern of such irresponsibility is always objectively 
verifiable by independent observers who can each make independent judgements.

> > fundamentally, this isn't a dns technical problem, and using dns
> > technology to solve it will either not work or set a dangerous precedent.
> > and since the data is authentic, some day, dnssec will make this kind of
> > poison impossible.
> 
> Not for the bad guys, unfortunately. :/

by "this kind of poison" i meant something that would be used by good guys
to "whiteout" the domains needed/used by bad guys.  it'll be inauthentic
data, and if dnssec is ever launched, this kind of data will be transparently
obviously inauthentic, and will just not be seen by the client population.
so, yes, dnssec will end up helping the bad guys in that particular way.



More information about the NANOG mailing list