On-going Internet Emergency and Domain Names

Florian Weimer fw at deneb.enyo.de
Sat Mar 31 19:42:13 UTC 2007

* Paul Vixie:

> since malware isn't breaking dns, and since dns not a vector per se,
> the idea of changing dns in any way to try to control malware
> strikes me as a way to get dns to be broken in more places more
> often.

Well, once more people learn about DLV (especially the NS override
extension that has been requested by zone operators), more and more
questions will pop up why we can't do this for NS records they don't
like for some reason.  The genie is out of the bottle, I'm afraid.

> in practical terms, and i've said this to you before, you'll get as
> much traction by getting people to switch from windows to linux as
> you'd get by trying to poison dns.  that is, neither solution would
> be anything close to universal.  that rules it out as an
> "alternative we can use today".

The legal details for operating and using a lookaside zone are rather
interesting, which strongly suggests that this isn't a solution that
can be rolled out in a reasonable time frame.  On the more technical
side, some very large operators have mostly out-sourced their DNS
operation, so they can't easily deploy an upgrade from ISC even if it
were available today.

> at the other end, authority servers which means registries and
> registrars ought, as you've oft said, be more responsible about
> ripping down domains used by bad people.  whether phish, malware,
> whatever.  what we need is some kind of public shaming mechanism, a
> registrar wall of sheep if you will, to put some business pressure
> on the companies who enable this kind of evil.

I fear that many registrars make most of their money with trademark
violations of their customers.  If that is indeed true, showing any
sign of responsibility could be suicidal.

More information about the NANOG mailing list