summarising [was: Re: ICANNs role]

Joe_Greco · April 4, 2007, 3:06pm

> > There is no need for rapidly unannounced updates by the
> registries.
>
> That simply isn't true.

You're right. Just like there is a very strong need for an airline that
offers 5 minutes from curb to seat checkin service. The need exists but
it ain't gonna be filled anytime soon because the government prohibits
such things. The government mandates delays and multiple vetting
processes between the time you step on the curb and the time you sit in
your airplane seat.

Well, if you're going to say that, then at least be honest and concede
that the government has also recognized the need, and has been working
towards filling it with the TSA's "Registered Traveler" program, which
was designed to pretty much allow a traveler to go to an airline kiosk,
pick up a ticket, and make it through security fairly rapidly. Five
minutes is overly optimistic, but more due to the size of your average
airport than due to the amount of time expected to be consumed by the
process.

Same with buying a handgun in most states and in Canada. Same with
opening a business in most jurisdictions. You have to go to cityhall and
apply for a license first. Why should domain name registries be special
and be exempt from these normal processes of vetting and registering?

Well, again, then, let's play fair with the analogies. It may actually
take a business day to open an LLC here, but once that's done, I can
submit changes to the registered office as frequently as I want. It may
take a little time for the state to process them, but that's not due to
any special "vetting" process that I'm aware of, it's a legacy of the
fact that the systems aren't all-electronic yet.

If you actually look at why businesses have to register, it has more to
do with collecting various taxes and/or maintaining records than it does
with "vetting." A sole propietorship here in WI has minimal obligations
and in many cases need not file much of anything in order to do business.
LLC records with the state need not list the members. The state wants
to collect their sales tax, for that you need a sales and use tax permit.
If you want to rent space, that's another set of fee-related issues.
Etc. So I find that argument weak at best.

Of course, I have yet to see a criminal shoot anyone with a domain name,
or a hijacker take over a plane with one. These are very serious real
world events involving injury and/or death, and as such, some additional
care may be warranted, which is doubtless why registration is required to
buy a handgun, why there are metal detectors and anti-terrorist programs
at airports, etc. To be needing to reach to such levels to justify your
argument is not particularly compelling, especially when it is easy
enough to poke holes in it anyways.

If you seriously want to propose something:

If you're going to do any vetting, the time to do it is at registration,
not at crunch time.

Limiting rapid updates makes sense. Eliminating them does not.

Fixing the brokenness which allows for domain tasting makes perfect sense.

Designing a system which doesn't allow for some level of anonymity (let's
say for whistleblower/bloggers) requires some serious debate that goes
far beyond "what are the security implications."

Etc.

... JG

michael.dillon · April 4, 2007, 3:57pm

If you're going to do any vetting, the time to do it is at
registration,
not at crunch time.

The bulk of the discussion over the past few days was directed at the
practice of rapid updates of BRAND NEW DOMAIN NAMES. Clearly this is
entirely separate from the issue of updating information for an
established domain name.

Designing a system which doesn't allow for some level of
anonymity (let's
say for whistleblower/bloggers) requires some serious debate that goes
far beyond "what are the security implications."

That is really a separate issue. This discussion is about limiting the
damage caused by domains which do rapid NS switching. If we know which
domains are new, DNS operators could put them on probation and only
allow a minimum TTL of 1 day on those names. The domain owner can still
switch NSes but the queries won't chase him, therefore he will sell less
product and quickly stop doing NS switching. If he's not NS switching
then it is easier to track him down, blackhole him, filter him,
whatever.

--Michael Dillon

Warren_Kumari · April 4, 2007, 4:56pm

[SNIP]

That is really a separate issue. This discussion is about limiting the
damage caused by domains which do rapid NS switching. If we know which
domains are new, DNS operators could put them on probation and only
allow a minimum TTL of 1 day on those names.

All that this means is that domains will be registered and sit idle (or host a web server for domain parking, useless content to make it look legitimate, etc.) until the probation period is up. Then it be converted into a rapid NS switching domain used for whatever...

Joseph_S_D_Yao · April 4, 2007, 5:48pm

...

If you seriously want to propose something:

If you're going to do any vetting, the time to do it is at registration,
not at crunch time.

If what you're talking about is the identity of the person registering,
yes.

If what you're talking about is the identity of the person submitting
the request for change, no.

If you do the former, and can establish (what is today's password,
please?) that the latter is the former, then you have done the latter
fairly quickly and easily - and can trace any abuse or attempted perfidy
[such as I was trying to do to you in the last message].

Limiting rapid updates makes sense. Eliminating them does not.

Yes.

Fixing the brokenness which allows for domain tasting makes perfect sense.

Yes.

Designing a system which doesn't allow for some level of anonymity (let's
say for whistleblower/bloggers) requires some serious debate that goes
far beyond "what are the security implications."

Yes.