-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amen.
The Registry policies, as they stand today, enable criminals.
Registry or Registrar?
Good question.
It is my understanding that the various domain registries answer
to ICANN policy -- if ICANN policy allows them to operate in a manner
which is conducive to allowing criminals to manipulate the system,
then the buck stops with ICANN, and ICANN needs to rectify the
problems in the policy framework.
- - ferg
Yes, that's correct. Policies are only administered by registries
and registrars, they are not made by them and registrars are supposed
to be ultimately accountable to ICANN for adhering to them. If they
are not doing something and there is nothing that says they should,
we do have process to go through but its not an easy and fast and
this process really does not go through nanog.
But those are policy process issues and this is an operations mail
list. Original question raised is who is ultimately better at acting
on dns operational issues? Do you want all issues going through 100s
of different registrars with some as "responsible" as RegisterFly?
Changing the registry process to enable a preview of the zone files was
suggested. Additional requirements imposed upon registrars could curb
the overall volume, but that also involves dealing with fraudulent
methods of payment, profit motives, privacy concerns, etcetera. A
process change at the registry can provide an immediate means of
enforcement. This approach should avoid upsetting registrars or
incurring even more extended debates.
-Doug
It is my understanding that the various domain registries answer
to ICANN policy
_Some_ registries answer to ICANN policy, those that have entered into contracts with ICANN. Others, e.g., all the country code TLD registries, don't. However, even in those cases in which there are contractual agreements, ICANN's role is typically quite limited (by design: ICANN isn't the Internet's mommy).
if ICANN policy allows them to operate in a manner
which is conducive to allowing criminals to manipulate the system,
then the buck stops with ICANN, and ICANN needs to rectify the
problems in the policy framework.
Sorry, I still haven't figured out what the problem is you're trying to lay at ICANN's door...
Rgds,
-drc
When providers daily accept payment for thousands of accounts with
unique, valid, albeit stolen credit card numbers, preventing abuse
remains difficult without using time as a remedy. No doubt, domain
tasting represents a retreat from dealing with fallout created by such
fraud.
In addition, several security strategies could become more comprehensive
and rely less upon specific OS threat recognitions. Instituting
notification of domain name additions before publishing would enable
several preemptive defenses not otherwise possible. A notice of change
does not alter the core, but instead enables defensive strategies at the
edge. These strategies are not limited to white-outs, but might be in
the form of alerts or warnings.
It takes time to push defensive information to the edge. A notification
of change before it occurs reduces the significant advantage now
afforded bad actors who are heavily exploiting DNS.
-Doug
How does this help? Are you saying that new domains somehow are somehow to be judged based upon someone's interpretation as to whether or not the domain 'reads' well, or some other factor? Who makes that determination, and by what criteria?
Or are you saying that notification of someone whose credit card has been stolen would somehow help? How would the registrar know whether or not an email address given at the time of registration is valid for the purported registree? If there's some kind of 'click-to-validate' system put into place, the miscreants will simply automate the acceptance process (there's been a lot of work done on defeating CAPTCHAs, for example; even if they do it by hand, that would work. And services like Mailinator can make it even easier for the miscreants due to their FIFO nature - no forensics possible).
Several registrars offer private domain registration as an option, as well. How does this affect the notification model?
I generally agree with you that when possible, time for analysis can be useful (though I'm unsure how that helps in this scenario, see above). But one of the ways registrars compete ison timeliness; last night, for example, I registered a few domains on a whim. If the registrar I chose to use had told me there was some delay in the process for vetting, I would've cancelled the order and gone somewhere else, because I wanted those domains -right then-, before someone else registered them.
This is all probably way off-topic for NANOG, anyways.
> Instituting notification of domain name additions before publishing
> would enable several preemptive defenses not otherwise possible.How does this help?
Information collected by the registrar must be assumed to be
untrustworthy, save the functional elements to be published.
Several registrars offer private domain registration as an option, as
well. How does this affect the notification model?
By ensuring data published by registry's can be previewed, all
registrars would be affected equally.
I generally agree with you that when possible, time for analysis can
be useful (though I'm unsure how that helps in this scenario, see
above).
When functional information is not valid, such as incorrect name servers
or IP addresses, this would not impose an immediate threat. However,
basic functional information will trace to the controlling entity. Only
by being able to preview this information, would comprehensive
preemptive efforts be able to prove fully effective.
But one of the ways registrars compete is on timeliness;
All registrars would be subject to the same delay. The previewing
process would be a function of the registry.
-Doug
But what is the probative value of the 'preview'? By what criteria is the reputational quality of the domain assessed, and by whom?
It almost seems as if the base problem has to do with credit-card transaction validation and fraud reporting, rather than anything to do with the actual domain registration process?
So assuming you get rid of tasting and reduce the flow of new names to
say 50,000 per day [1] exactly how are you going to preview these in any
meaningful sort of way?
Are you going to do the same for every ccTLD as well? What about domains
with constantly changing subdomains? Everything hosted in different
countries with different languages, policies and privacy laws? Believe it
or not, some countries don't even have "states" or 5 digit zip codes.
Please detail exactly what you will do if I register "trademe.ir" using
a Pakistani Registrar, a .ly contact email, a physical address in Nigeria,
the name "Tarek Rasshid" [2] , $10/year name servers in Cuba and pay for
using Visa gift credit card bought in Malaysia.
[1] 20 million new domains each year, just 20% growth on what we have now.
> By ensuring data published by registry's can be previewed, all
> registrars would be affected equally.But what is the probative value of the 'preview'? By what criteria
is the reputational quality of the domain assessed, and by whom?
A preview affords time for correlating and pushing protective
information to the edge. Some reviewing previews may specialize in
look-alike fraud. Others may specialize in net nanny services.
Not all exploits will be initially recognized, where a defense in depth
should include examining the infrastructure. A preview is required
before this infrastructural information can offer the greatest level of
protection. Reacting to new domains after the fact is often too late.
It almost seems as if the base problem has to do with credit-card
transaction validation and fraud reporting, rather than anything to
do with the actual domain registration process?
Until Internet commerce requires some physical proof of identity, fraud
will continue. A zone preview approach can reduce related exploits and
associated crime, and the amount of information pushed to the edge.
-Doug
What on earth makes you think that physical proof of identity would be
any sort of deterrant to fraud? Fraud existed long before the Internet,
and in absolutely physical forms.
cheers!
So assuming you get rid of tasting and reduce the flow of new names to
say 50,000 per day [1] exactly how are you going to preview these in any
meaningful sort of way?
A preview would not directly reduce a churn rate, although it might as a
side effect. Computers are able to correlate even with millions of
domains per day.
Are you going to do the same for every ccTLD as well?
Consistent rules should be established for ccTLD as well, however each
ccTLD may wish to limit preview access differently.
What about domains with constantly changing subdomains? Everything
hosted in different countries with different languages, policies and
privacy laws? Believe it or not, some countries don't even have
"states" or 5 digit zip codes.
Information collected can be pushed to the edge to protect against
domains controlled by bad actors. A domain should be cautious about
delegating to bad actors.
Please detail exactly what you will do if I register "trademe.ir" using
a Pakistani Registrar, a .ly contact email, a physical address in Nigeria,
the name "Tarek Rasshid" [2] , $10/year name servers in Cuba and pay for
using Visa gift credit card bought in Malaysia.
This is not about modifying the function of registrars or registries,
beyond requiring a zone preview from registries. This is about
identifying threats, even zero day threats, and offering protection.
The protection afforded can be fairly comprehensive, although nothing is
100%.
-Doug
> Until Internet commerce requires some physical proof of identity, fraud
> will continue. A zone preview approach can reduce related exploits and
> associated crime, and the amount of information pushed to the edge.What on earth makes you think that physical proof of identity would be
any sort of deterrant to fraud? Fraud existed long before the Internet,
and in absolutely physical forms.
And as long as proof of identity, physical or otherwise, is trasferred
virtually via the compromised channel or platform, we solve nothing.
The all idea of the web channel is the low cost. 
But that is off topic to NANOG and this thread.
What happens when they're wrong?
And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch?
It seems to me as if we've just talked through the institutionalization of the Department of Domain Pre-Crime, with all that entails. It could be argued that the proposed solution might be worse than the problem it's purporting to solve.
what are 'they' going to cost, and who's going to pay for 'them' at 6$/yr
domain registration fee?
Reacting to new domains after the fact is often too late.
What happens when they're wrong?
Most assessments are fairly straight forward. As with any form of protection, there may be false positives. More attractive and successful services would reduce the level of false positives while still retaining a reasonable level of protection.
And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch?
Market forces would determine these questions. The service must be independent of registrars. One might expect law enforcement to become involved in look-alike domains when notified by affected third-parties. As a result of legal actions, there should be some agency (or geographic specific courts for ccTLDs) to resolve conflicts. This seems like a worthwhile investment, as reducing Internet crime in this manner should save much more than it costs.
It seems to me as if we've just talked through the institutionalization of the Department of Domain Pre-Crime, with all that entails. It could be argued that the proposed solution might be worse than the problem it's purporting to solve.
This is about recognizing the weapon being used. In the case of a zone file preview, that the same weapon is about to be used again. Zone previews enable another defensive layer to be provided by the market place. It requires little from the registries and nothing from the registrars. Although the registrar may have their deposit held when a law enforcement agency requests a domain be held pending resolution.
-Doug
As has already been stated, this is hardly a guarantee.
It seems to me that we're in danger of straying into déformation professionnelle.
Agreed and my apologies for not being clear. Registrars are unable to curtail current levels of fraud without significant changes in how domains are acquired. Consider registrar related fraud as a separate and perhaps even fruitless topic.
The recommendation was for registries to provide a preview of the next day's zone. A preview can reduce the amount of protective data required, and increase the timeframe alloted to push correlated threat information to the edge. This correlated threat information can act in a preemptive fashion to provide a significant improvement in security. This added level of protection can help defeat expected and even unexpected threats that are becoming far too common as well.
-Doug
OK, I understand this, but the previously-expressed comments about unintentional/undesirable consequences and not addressing the actual cause of the problem (inadequate and/or inefficient credit card processing and inefficient business processes), as well as the comments regarding practicalities and so forth, haven't really been addressed (pardon the pun), IMHO.
I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes.
Rgds,
-drc