Re: On-going Internet Emergency and Domain Names

[Douglas Otis <dotis () mail-abuse org>]

On Sun, 2007-04-01 at 08:41 -0700, David Conrad wrote:
> > It is my understanding that the various domain registries answer
> > to ICANN policy
>
> _Some_ registries answer to ICANN policy, those that have entered  
> into contracts with ICANN.  Others, e.g., all the country code TLD  
> registries, don't.  However, even in those cases in which there are  
> contractual agreements, ICANN's role is typically quite limited (by  
> design: ICANN isn't the Internet's mommy).
>
> > if ICANN policy allows them to operate in a manner
> > which is conducive to allowing criminals to manipulate the system,
> > then the buck stops with ICANN, and ICANN needs to rectify the
> > problems in the policy framework.
>
> Sorry, I still haven't figured out what the problem is you're trying  
> to lay at ICANN's door...

When providers daily accept payment for thousands of accounts with
unique, valid, albeit stolen credit card numbers, preventing abuse
remains difficult without using time as a remedy.  No doubt, domain
tasting represents a retreat from dealing with fallout created by such
fraud.

In addition, several security strategies could become more comprehensive
and rely less upon specific OS threat recognitions.  Instituting
notification of domain name additions before publishing would enable
several preemptive defenses not otherwise possible.  A notice of change
does not alter the core, but instead enables defensive strategies at the
edge.  These strategies are not limited to white-outs, but might be in
the form of alerts or warnings.

It takes time to push defensive information to the edge.  A notification
of change before it occurs reduces the significant advantage now
afforded bad actors who are heavily exploiting DNS.

-Doug