On-going Internet Emergency and Domain Names (kill this thread)

Paul Vixie vixie at vix.com
Sun Apr 1 23:14:03 UTC 2007


jeffshultz at wvi.com (Jeff Shultz) writes:

> As I see it, the problem at hand is the current Windows 0day. What Gadi
> is doing is concentrating on a tactic it is using to justify solving
> what he sees as a more general problem (DNS abuse) that could be used by 
> an exploit to any operating system.  By solving it, this could mitigate 
> future problems.

the more general problem is hard to agree about.  i think it's that every
day neustar and afilias and verisign and the other TLD registries handle
many millions of new-domain transactions, most of which will never be paid
for ("domain tasting") and most of which are being held with stolen credit
cards.  i don't know if these companies book the revenue ("ship bricks") or
if this is just a hell hole of wasted time and money for them (or, both?)

i do know that a small number of criminals and wastrels among the registrant
and registrar communities are responsible for between 95% and 99.98% of each
day's domain churn, and that most of the domains will never be used or will
only be used for evil.  some of the costs of this infrastructure-for-evil
are passed on to the rest of the registrants, and all of the costs of the
evil itself are passed on to the rest of humanity.

now we can try to pour widescale poison on the domains we see used for evil,
and hope that everyone who would like to be protected by that poison is able
to get in on the action; or we can look at the registrars and registrants,
and track their actions, and build a reputation system indicating who has
done evil and who has irresponsibly or greedily profited from enabling evil.

in the first case we have an infinite set of possible choke points; in the
second we have a finite set.  in the first case we have to pay the cost on
every DNS lookup, in the second case we have to pay the cost on every DNS
registration event.

> We're looking at the alligators surrounding us. Gadi is trying to 
> convince us to help him in draining the swamp (which may indeed be a 
> positive thing in the long run).
> 
> Does that sound about right?

that sounds exactly wrong.  harkening back to my experience with "check-names"
i can tell you that all i did was scare away a few alligators and the swamp
remained.  (probably the same was true of the original MAPS RBL.)  what we've
got in the DNS registry/registrar market today is as corrupt and abusable as
the California electricity market was back in 2000-2001, and we're seeing the
same kind of windfalls enjoyed by the same kind of assholes now as then.  the
system is ripe for policing, which icann has shown that they will not do.  i
want to see gadi in "ralph nader" mode, shining a light on all this, making it
harder to profit from building the "infrastructure of evil."  if that's what
you meant by swamp-draining, then i apologize for misunderstanding you.
-- 
Paul Vixie



More information about the NANOG mailing list