summarising [was: Re: ICANNs role]

Daniel Senie dts at senie.com
Wed Apr 4 03:07:01 UTC 2007



At 09:41 PM 4/3/2007, you wrote:


> > No one wants to wait for security checks while browsing.  This
> > information must be preprocess and "at the ready", or the Internet
> > starts to feel rather slow and broken.  By slowing down registry
> > updates and even providing a preview of upcoming changes will allow
> > security to become much faster in providing comprehensive answers,
> > and make browsing seem unimpaired (as it should be).
> >
> > There is no need for rapidly unannounced updates by the registries.
>
>That simply isn't true.
>
>It is more reasonable to say that "there is no need for rapid /and/
>frequent updates" and to put some limits in place.
>
>One fine day, I got involved with an ISP client handling a most unusual
>situation.  They had been contacted by some folks at United Media who
>were in a panic because they had botched a registry update, putting in
>IP addresses that did not work.  As it happens, one of the IP's in
>question was in an outsourced dial pool in Rockford, IL (IIRC - maybe
>Beloit) and they had the imagination to call the ISP in question.
>
>We set up a static IP, dialed in, and watched port 53 data stream in at
>the full line speed.  Everyone in the world who was looking for Dilbert
>and other United Media properties was of course talking to resolvers
>that were in turn banging on that IP.
>
>Well, answering with much larger packets through the dialup wasn't
>practical, and the ISP's upstreams had ingress filtering, but I did
>manage to set up a VPN over to our networks where we control our own
>filtering and our upstreams didn't do any ingress.  We ended up fixing
>them a handful of hours after their error.  We watched the DNS traffic
>dwindle over the next two days, and eventually hung up.  ;-)
>
>Obviously they had updated their info as soon as they could, but the
>.com zone wasn't updated for almost another day (or was it two?)
>
>Now, the reality is, accidents do happen.  However, they happen
>infrequently enough that you probably do not need to be able to
>change your nameservers through the web interface and have them
>reflected 5 seconds later.  I do think that it would be very valuable
>to have the capability to call someone at a registrar to deal with
>issues like this for the infrequent times that it is needed, or
>perhaps allow one such change per week(?) through the web interface.
>
>Let us not get so intent on "getting the bad guy" that we damage the
>innocent at the same time.


So, an "oops, I screwed up, and am in a panic" fee, of, say $100 and 
a quick but accurate identity check combined would take care of such 
an emergency. The fee would pay for the expense of the identity 
check, and perhaps provide a bit of profit for the registrar. This 
seems reasonable and workable. Or the fee could just be an extra 
profit for registrar and registry, raise the cost of doing business 
for the abusers, and also be workable.






More information about the NANOG mailing list