ICANNs role [was: Re: On-going ...]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[top-posting to maintain the entire context below]

I think Doug makes some good points here (with the exception of
number 6)...

- - ferg

The one concrete suggestion I've seen is to induce a delay in zone
creation and publish a list of newly created names within the zone.
The problem with this is that is sort of assumes:

What are your thoughts on basic suggestions such as:
1. Allowing registrars to terminate domains based on abuse, rather
than just fake contact details.

This requires a separate agency tasked to respond to reports of
crime. Registrars have a conflict of interest (they want to be
profitable). Even answering the phone to deal with this type of
problem costs more than a registration is worth. Hence, it is easier
to establish domain tasting which essentially drops this entire
problem into someone else's lap.

2. Following these incidents as they happen so that YOU, in charge,
can make these suggestion?

Often enforcement policies begins with a complaint. But who is
taking the role of enforcement?

3. For true emergencies threatening the survivability of the
system, shoudln't we be able to black-list a domain in the core?

It would be nice if there were an agency that had a mechanism in
place for routinely yanking domains that pose a public threat. Who
would you trust in that role? Unfortunately, the US has lost their
credibility as loudly echoed on this list.

4. Black lists for providers are not perfect, but perhaps they
could help protect users significantly?

Black-hole or block-lists is where protection can be introduced,
political push back will thwart centralized enforcement. To support
this mode of operation, a preview mode of operation would be highly
beneficial. Currently bad actors will keep such efforts in a futile
feckless reactive mode.

5. Enforcing that registrars act in say, not a whitehat fashion,
but a not blackhat fashion?

Of course a bad registrar might warrant greater scrutiny. At what
point would all their customers need to find a different registrar?

6. Yours here?

Perhaps only banks should be allowed to act as registrars? At least
they know how to check physical IDs.

- -Doug

I just posted this, and I believe it makes sense:

Title: Put Security Alongside .XXX

Isn't security as important to discuss as .XSS?

The DNS has become an abuse infrastructure, it is no longer just a
functional infrastructure. It is not being used by malware, phishing and
other Bad Things [TM], it facilitates them.

Operational needs require the policy and governance folks to start taking
notice.

It's high time security got where it needs to be on the agenda, not just
because it is important to consider security, but rather because lack of
security controls made it a necessity.

In discussion of my latest post, some folks on NANOG raised interesting
ideas, such as:

(these are displayed as I understood them)
1. Terminating domains found to be registered with stolen credit cards
(raised by Chris Morrow)
2. Introducing a delay to registration (Douglas Otis)
3. Reviewing legacy engineering decisions (David Conrad)
4. A show of responsibility by Registries and Registrars to take care of
bad domains (Paul Vixie)
5. Public shaming should be considered (Paul Vixie)
6. Closing the vulnerability with DNS should not be ignored just because
bad guys will find something else to exploit (Hank Nussbacher)
7. Check out http://www.icann.org/participate/ (John Crain)

As well as other ideas and contributors. I won't push my own here, there's
enough already up there to keep us busy for a while.

Whether these ideas are good remains to be seen, the fact is that we now
discuss the issues.

Some other conclusions were that the domain registration system and
process are a significant part of the current on-going abuse of the DNS
infrastructure.

So, as important as the XXX TLD is, security should get as much attention,
if not more.

It's about the current policy which allows black hat registrars to exist
(rather than controlling good ones - lower hanging fruit first?), as well
as about the policy of registration and termination of domain names. It is
about old policy no longer fitting today's threats, and, to a limited
fashion, technology which needs to be revamped.

Here is one of the latest emails in the NANOG thread, by me in reply to
David Conrad. Things start to make sense now that flames and personal
attacks have died down.

[previous NANOG post here]

Where do we go from here? If we do proceed, what legitimate business
concerns stand to lose money? (or not earn as much?)

Gadi Evron,
ge@linuxbox.org.

...

I just posted this, and I believe it makes sense:

Title: Put Security Alongside .XXX

Isn't security as important to discuss as .XSS?

The DNS has become an abuse infrastructure, it is no longer just a
functional infrastructure. It is not being used by malware, phishing and
other Bad Things [TM], it facilitates them.

Again - DNS is the infrastructure for EVERYTHING. It facilitates
EVERYTHING. If you threw it out and put something else in that was not
as clunky as editing hosts.txt files 'scp'ed from DARPA daily, then THAT
would be what was facilitating everything.

Operational needs require the policy and governance folks to start taking
notice.

It's high time security got where it needs to be on the agenda, not just
because it is important to consider security, but rather because lack of
security controls made it a necessity.

Completely separately from your personal views on DNS, the above are
quite true.

Again - DNS is the infrastructure for EVERYTHING. It facilitates
EVERYTHING.

Not so. On the public Internet applications like Edonkey and Emule work
fine without it. We run a global IP network that is not connected to the
public Internet and over 90% of our customers' applications don't use
any DNS. They use IP addresses directly.

DNS is only a facilitator for those applications that WANT to use it.
And even though most current applications want to use DNS, they usually
function just fine with straight IP addresses. DNS is more of a habit,
than a necessity.

If the users of the Internet, collectively, decide that DNS is a bad
habit, better to be avoided, then you will see more and more
applications that work around the DNS. Like ICQ. Or they will only use
the DNS minimally in order to root their own namespaces, like LDAP with
RFC 2247.

--Michael Dillon

> Again - DNS is the infrastructure for EVERYTHING. It facilitates
> EVERYTHING.

Not so. On the public Internet applications like Edonkey and Emule work
fine without it. We run a global IP network that is not connected to the
public Internet and over 90% of our customers' applications don't use
any DNS. They use IP addresses directly.

Fair. If you have a small or stable enough private network that you
don't need to use DNS to look up things that might be different from
time to time, or to send e-mail by looking up where that mail goes, this
works.

I don't think it scales.

And at least one person claimed not to be using DNS at all ... I suspect
he just didn't know how it was priming his engine.

DNS is only a facilitator for those applications that WANT to use it.
And even though most current applications want to use DNS, they usually
function just fine with straight IP addresses. DNS is more of a habit,
than a necessity.

So is using the decimal system rather than counting sticks. But it sure
makes things doable versus insurmountable.

If the users of the Internet, collectively, decide that DNS is a bad
habit, better to be avoided, then you will see more and more
applications that work around the DNS. Like ICQ. Or they will only use
the DNS minimally in order to root their own namespaces, like LDAP with
RFC 2247.

Lots of little edge apps. No core scalability.

Joseph S D Yao wrote:

...
  

I just posted this, and I believe it makes sense:

Title: Put Security Alongside .XXX

Isn't security as important to discuss as .XSS?

The DNS has become an abuse infrastructure, it is no longer just a
functional infrastructure. It is not being used by malware, phishing and
other Bad Things [TM], it facilitates them.
    
Again - DNS is the infrastructure for EVERYTHING. It facilitates
EVERYTHING. If you threw it out and put something else in that was not
as clunky as editing hosts.txt files 'scp'ed from DARPA daily, then THAT
would be what was facilitating everything.
  

Maybe it would make sense for someone to reiterate what types of abuse DNS is facilitating? I believe what Gadi was getting at was mainly the ability to use fake details to register a domain, and then very rapidly cycling the A records through a wide range of hosts, attempting to avoid detection. As opposed to there actually being fundamental flaws open to abuse in a system that maps names to IP addresses.

Sam

...

Maybe it would make sense for someone to reiterate what types of abuse
DNS is facilitating? I believe what Gadi was getting at was mainly the
ability to use fake details to register a domain, and then very rapidly
cycling the A records through a wide range of hosts, attempting to avoid
detection. As opposed to there actually being fundamental flaws open to
abuse in a system that maps names to IP addresses.

...

Which is mostly a policy / procedure problem rather then a DNS problem,
eh?

Despite doubts several stated about creating a fairly comprehensive view of the Internet landscape, dedicated systems working in unison do keep fairly close tabs on what is what. Threat information is then pushed to the edge (as some would call it). The abuse of registries has been able to thwart the effectiveness in dealing with much of the threat landscape as it undergoes a transformation every few minutes. The latency in distributing threat information prevents its protection from being as effective as it should be when facing undefined threats within a rapidly transforming environment.

No one wants to wait for security checks while browsing. This information must be preprocess and "at the ready", or the Internet starts to feel rather slow and broken. By slowing down registry updates and even providing a preview of upcoming changes will allow security to become much faster in providing comprehensive answers, and make browsing seem unimpaired (as it should be).

There is no need for rapidly unannounced updates by the registries. Getting a commerce site set up in milliseconds all to often benefits those wishing to abuse this immediacy. Would it really be that hard to say "Confirm the operation of DNS for this website at this time tomorrow."? Just because this information can be published within a few milliseconds, does not make doing so a good idea. It would be a better for security reasons to offer this information for review first well before it goes "live".

The price for pushing protective information to the edge by just one company fighting this blitz krieg is simply astounding. In addition, there are costs incurred by the reduced protection caused as well. Whether it is click fraud, botnets C&Cs, phishing sites, etcetera, etcetera. Slowing registries and offering a preview can dramatically shift the balance in this faltering struggle. There are many security concerns that can make extremely good use of this information without depending upon some centralized policing that never seems to be sufficient or effective as to be noticeable.

It is not obvious how the daily 5 million domain name churn driven by an astounding high level of fraud and identity thief can be slowed. Perhaps we will all soon need a cryptographic fob instead of a wrist watch to accompany our other pieces of identification. Stabilizing the landscape can better ensure system owners have a better idea when they are entering dangerous territory. This alone should help them keep their systems as safe as possible in the face of unknown threats. Tracking all this information may seem daunting, but is there any other practical alternative?

-Doug