Interesting new dns failures

Chris L. Morrow christopher.morrow at
Mon May 21 05:34:02 UTC 2007

On Sun, 20 May 2007, Roger Marquis wrote:

> >> All the same, it would seem to be an easy and cheap abuse to address,
> >> at the gtlds.  Why are these obvious trojans are being propagated by
> >> the root servers anyhow?
> >
> > the root servers are responsible how exactly for the fast-flux issues?
> > Also, there might be some legittimate business that uses something like
> > the FF techniques... but, uhm... how are the root servers involved again?
> Nobody's saying that the root servers are responsible, only that they

but you said it:

"at the gtlds.  Why are these obvious trojans are being propagated by
 the root servers anyhow?"

> are the point at which these domains would have to be squelched. In
> theory registrars could do this, but some would have a financial
> incentive not to. Also I don't believe registrars can update the roots
> quickly enough to be effective (correct me if I'm wrong).

I think you really mean 'TLD' not 'root'... I think, from playing this
game once or twice myself, the flow starts with the registrar to the
registry (in your example estdomains is the registrar and Verisign is the
registry). i think it pretty much stops there. i suppose you COULD get
ICANN to spank someone, but that's going to take a LONG time to
accomplish. (I think atleast)

> Given the obvious differences between legitimate fast flux and the
> pattern/domains in question it would seem to be a no-brainer,
> technically at least.

hrm... I don't think it's a technical stumbling block, though trying to
pre-know who's bad and who's not might get you in trouble (say I register
the domain and fast-flux it for my own 'good' use,
how's that different from '' ?).

Anyway... I don't disagree that there ought to be a hammer here and it
ought to be applied. I'm just not sure it's as simple as it appears at
first blush.

More information about the NANOG mailing list