I think you're suggesting that such people will register domain names and
use them right away (which may be true), and that the lack of a delay
enables them to do things they couldn't otherwise do (which isn't).
Plenty of spammers register lots of .com domain names and let them sit
for a little while before using them; if you're a committed spammer, it's
obviously trivial to just get three days ahead of the game. The policy
change doesn't allow evildoers to do anything they couldn't already do
with a tiny amount of forethought (or by registering a .biz, .org, .info
or .us domain, for that matter).
But the new policy does allow normal people to do something they couldn't
otherwise do: have a working .com/.net Web site and e-mail in a few
minutes. That's good for legitimate domain owner happiness.
By far the number one question customers ask my (hosting) company when
they sign up is "When will it start working?". It's almost embarrassing
to tell these poor people "ahem... it probably won't work for a day or
so, and it's a bit random -- your friends might find it works before you
do, so please don't complain if that happens", etc.
It's certainly true that a day's wait isn't the end of the world, but
these people are anxious, and it is a source of confusion, bother and
worry for them.
I welcome the change.
Actually, this *does* make the spammer's lives a whole lote easier. See
my post to Bugtraq from about a year ago titled "Permitting recursion
can allow spammers to steal name server resources". It pretty much
hinges on the spammers finding an authority that will react quickly to
change requests.
Worst part is a year after that post I still see this activity taking
place. 
HTH,
Chris
But the new policy does allow normal people to do something they couldn't
otherwise do: have a working .com/.net Web site and e-mail in a few
minutes. That's good for legitimate domain owner happiness.
By far the number one question customers ask my (hosting) company when
they sign up is "When will it start working?". It's almost embarrassing
to tell these poor people "ahem... it probably won't work for a day or
so, and it's a bit random -- your friends might find it works before you
do, so please don't complain if that happens", etc.
It's certainly true that a day's wait isn't the end of the world, but
these people are anxious, and it is a source of confusion, bother and
worry for them.
bingo! and the TTL issue is almost entirely NS RRs, as Sam Stickland
<sam_ml@spacething.org> pointed out in the article from the usual
suspects at mit/lcs, <http://nms.lcs.mit.edu/papers/dns-imw2001.html>\.
of course, almost all date in the gtlds are NS RRs, so the worry about
TTL crank-down holds, though just for silly gtld servers. then again,
they're paid to serve.
randy
The key here is not registration but change. Currently, while spammers
and other malfeasants have the ability to send out through compromised
proxies and zombied PCs, there is little that can be done to identify
them until they require a response, and then the return path provides
some traceability via the IP addresses used, at least for nameservers.
One of the latest spammer exploits involves relying on compromised
PCs for hosting of websites and DNS: which, coupled with the ability
to update the root DNS in close-to-real-time, means that the entire
hosting operation including nameservers can be based on compromised
boxes, often with an encrypted/obfuscated link back to the real point
of control, and that is significantly harder to track. This becomes
of rather greater significance if the hosting is for a phishing site.
The root DNS is controlled through the registrar, and what contact
information is held by the registrars frequently turns out to be at
best highly imaginative.
In removing the previous delays in updating root DNS, the registrars
have removed the last obstacle to making hosting totally-untraceable:
and then the only record of a hosting activity will be whatever data
is held by the registrar. The only impact of the changes that ICANN
made to improve whois-accuracy, has been that the malfeasants are now
registering more domains, so that they can rely on the mandated 15-day
grace period during which when the registrar is required to keep their
domain up even though the provided contact details are totally bogus.
The demand for extra domains serves the registrars' business model well.
When a contact address is proved to be bogus, and at the end of 15 days
the domain complained of is in consequence shut down, it does not seem
to occur to most registrars that the other (say) six hundred - perhaps
thousands of domains - that were registered by the same person with the
identical contact details, must also have bogus contact details and so
should be automatically shut down. No, an individual complaint seems
to be needed in each case, which means that the malfeasants are given
15 days from the first appearance of EACH domain during which the
entire domain is, as it were, bulletproof.
The key here is not registration but change. Currently, while spammers
and other malfeasants have the ability to send out through compromised
proxies and zombied PCs, there is little that can be done to identify
them until they require a response, and then the return path provides
some traceability via the IP addresses used, at least for nameservers.
One of the latest spammer exploits involves relying on compromised
PCs for hosting of websites and DNS: which, coupled with the ability
to update the root DNS in close-to-real-time, means that the entire
hosting operation including nameservers can be based on compromised
boxes, often with an encrypted/obfuscated link back to the real point
of control, and that is significantly harder to track. This becomes
of rather greater significance if the hosting is for a phishing site.
The root DNS is controlled through the registrar, and what contact
information is held by the registrars frequently turns out to be at
best highly imaginative.
aside from your confusion between the root and second level domain
names, this is still fud. all they need to do is register foo.bar
with delegation to their dns servers, and change a third level
domain name at will.
randy
The key here is not registration but change. Currently, while spammers
and other malfeasants have the ability to send out through compromised
proxies and zombied PCs, there is little that can be done to identify
them until they require a response, and then the return path provides
some traceability via the IP addresses used, at least for nameservers.
One of the latest spammer exploits involves relying on compromised
PCs for hosting of websites and DNS: which, coupled with the ability
to update the root DNS in close-to-real-time, means that the entire
hosting operation including nameservers can be based on compromised
boxes, often with an encrypted/obfuscated link back to the real point
of control, and that is significantly harder to track. This becomes
of rather greater significance if the hosting is for a phishing site.
That is one of the main reasons why I don't like that Verisign has removed
ability to find data on how list of nameservers for domain and more ip
address of nameserver might have been changed. The only thing we can
see is what whois shows (=bulk zone data) which is just one time/day
snapshot while spammer may have changed the ip address of nameserver
many times during the day to point to different zombie PCs.
I hope Matt can get through to correct people and deltas will be available
for those already doing bulk zone downloads.
The demand for extra domains serves the registrars' business model well.
When a contact address is proved to be bogus, and at the end of 15 days
the domain complained of is in consequence shut down, it does not seem
to occur to most registrars that the other (say) six hundred - perhaps
thousands of domains - that were registered by the same person with the
identical contact details, must also have bogus contact details and so
should be automatically shut down. No, an individual complaint seems
to be needed in each case, which means that the malfeasants are given
15 days from the first appearance of EACH domain during which the
entire domain is, as it were, bulletproof.
It seems that by these policies registries are actively helping out spammers
while claiming to be neutral party. But in reality they know full well who
the registrant of the domain is and that they deliberately breaking ICANN
rules but they do not close their account and allow them to register more
domains with false data. This "neutral party" excuse also leads to most
domain registries refusing spam compaints, again they know exactly who it
is that registers these domain and can definetly see they are spammer, but
they will not do anything about it because spammers are good customers
who register lots of domains.
This situation not helping in trying to stop this epidemic.
This assumes rational behavior of a lot of zone admins. YMMV
Of course rational behavior may be increased by information and education.
Daniel
I welcome the change.
so do i. but more importantly, i agree with daniel that the next thing
that's going to happen as a result is that there will be pressure toward
lower ttl's. and i further agree with daniel that lower ttl's would be
bad. so, let's increase dynamicism of domain addition, but let's please
not also increase dynamicism of delegation change and domain deletion.
Er, no. They have of course tried that already!
By registering foo.bar with delegation to THEIR dns servers gives full
identification of THEIR dns servers, and the host or upstream of those
servers can (and often does) start invoking their acceptable use policy.
If not, then all the considerations that Paul V. recently cited about
neighbours who allow bad things on their network, start to kick in.
The scenario I have outlined - now well established, and the mechanism
understood - allows the malfeasants to operate on the 'net with zero
traceability of their identity or location, based on everything they do
being able to be done through zombied Windows PCs or open(ed) proxies.
Paul Vixie wrote:
so do i. but more importantly, i agree with daniel that the next thing
that's going to happen as a result is that there will be pressure toward
lower ttl's. and i further agree with daniel that lower ttl's would be
bad. so, let's increase dynamicism of domain addition, but let's please
not also increase dynamicism of delegation change and domain deletion.
What would be your suggestion to achieve the desired effect that many seek by lower TTL's, which is changing A records to point to available, lower load servers at different times? I did read the point that lower TTL's should only be used when appropriate but if most high-traffic sites use low TTL's, the point about the rest is moot. (with the exception of the root-servers) The load will be seen on ISP resolvers, specially on consumer networks.
Pete
The distribution of spam is only half of the economy at work here. Spam
doesn't occur in a vacuum. The other half is the "site(s)" profiting from
the spam.
Let's just be clear that not all sites mentioned in spam are profiting at all. Spammers mention sites unrelated to what they're advertising to:
1) throw off blocklists which attempt to build lists of sites mentioned in spam.
2) purposely hurt the reputation of sites by getting blocklists to mention those sites
3) and possibly cause flash traffic loads to sites that would otherwise not get high loads.
Sites mentioned without permission common. Be clear with any attempt to go after sites "profiting" from spam to explain how you will only affect those who are really profiting and have given their permission.
so, let's increase dynamicism of domain addition, but let's please
not also increase dynamicism of delegation change and domain deletion.
dear customer, you can have wheat bread today, but rye takes a
day. here is a url which explains the reasons in obscure technical
terms. right; bloody likely.
we are here to serve the customer. the black hats use the same
services that the good customers use. do not cut off nose to spite
face.
and, as i said a few years back, in the long run, the spammers i
fear are the big business bulk mailers. it is they who fill my
post box at discounted postal rates. and they look a lot like
'legitimate' customers.
randy