nanog mailing list archives
Re: On-going Internet Emergency and Domain Names
From: Paul Vixie <paul () vix com>
Date: Sun, 01 Apr 2007 05:22:07 +0000
at the other end, authority servers which means registries and registrars ought, as you've oft said, be more responsible about ripping down domains used by bad people. whether phish, malware, whatever. what we need is some kind of public shaming mechanism, a registrar wall of sheep if you will, to put some business pressure on the companies who enable this kind of evil.I have done public shaming in the past, as you know. I'd rather avoid it if policy/technology can help out.
technology can help someone protect their own assets. policy can help other people protect their assets. public shaming can motivate other people protect their own assets. YMMV.
Conversationally though, how would you suggest to proceed on that front?
a push-pull. first, advance the current effort to get registrars and dynamic-dns providers to share information about bad CC#'s, bad customers, bad domains, whatever. arrange things so that a self-vetting society of both in-industry and ombudsmen have the communications fabric they need to behave responsibly. push hard on this, make sure everybody hears about it and that the newspapers are full of success stories about it. then, whenever there's a phish or malware domain whose dyndns provider or dns registrar is notified but takes no action, put it on the wall of shame. something akin to ROKSO would work. (in fact, spamhaus could *do* this.) make sure that the lack of responsible takedown is a matter of public record and that a sustained pattern of such irresponsibility is always objectively verifiable by independent observers who can each make independent judgements.
fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible.Not for the bad guys, unfortunately. :/
by "this kind of poison" i meant something that would be used by good guys to "whiteout" the domains needed/used by bad guys. it'll be inauthentic data, and if dnssec is ever launched, this kind of data will be transparently obviously inauthentic, and will just not be seen by the client population. so, yes, dnssec will end up helping the bad guys in that particular way.
Current thread:
- Re: On-going Internet Emergency and Domain Names, (continued)
- Re: On-going Internet Emergency and Domain Names Petri Helenius (Mar 31)
- Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
- RE: On-going Internet Emergency and Domain Names michael.dillon (Mar 31)
- Re: On-going Internet Emergency and Domain Names Hank Nussbacher (Mar 31)
- Re: On-going Internet Emergency and Domain Names Paul Vixie (Mar 31)
- Re: On-going Internet Emergency and Domain Names Roland Dobbins (Mar 31)
- Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
- Re: On-going Internet Emergency and Domain Names Florian Weimer (Mar 31)
- redirect (Re: On-going Internet Emergency and Domain Names ) Paul Vixie (Mar 31)
- Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
- Re: On-going Internet Emergency and Domain Names Paul Vixie (Mar 31)
- Re: On-going Internet Emergency and Domain Names Matt Ghali (Mar 31)
- Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
- Re: On-going Internet Emergency and Domain Names Jon R. Kibler (Mar 31)
- RE: On-going Internet Emergency and Domain Names william(at)elan.net (Mar 31)
- RE: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
- RE: On-going Internet Emergency and Domain Names Matt Ghali (Mar 31)
- RE: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
- Re: On-going Internet Emergency and Domain Names Adrian Chadd (Mar 31)