what registrars need to do with no incentive [was: Re: On-going ..]

Date: Mon, 2 Apr 2007 21:09:24 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
Subject: what registrars need to do with no incentive [was: Re: On-going ..]

> > From: David Conrad <drc@virtualized.org>
> > Subject: Re: On-going Internet Emergency and Domain Names
> > Date: Mon, 2 Apr 2007 17:33:08 -0700
> >
> >
> > > The recommendation was for registries to provide a preview of the
> > > next day's zone.
> >
> > I think this might be a bit in conflict with efforts registries have
> > to reduce the turnaround in zone modification to the order of tens of
> > minutes.
> This is getting far afield from 'network operations', but the underlying
> issue is really quite simple: There are *NO*PENALTIES* for registering
> 'bogus' domains. The registry operator has -no- (financial) incentive
> to investigate, nor remove, a 'falsified' entry. Once a name is in the
> database, _anything_ affecting it is an 'un-necessary expense' to the
> registry operator.
> Similarly, there is no dis-incentive to a registrar wih regard to _filing_
> a bogus registration with a registry.

Or policy.

Yes, there _is_ policy against it. In the case of ICANN-controlled domains,
it is a breach of the registrar's contract with the registry operator. It
is also a breach of the registrant's contract with the operator.

Those things provide a 'cause' for which the registrar can cancel the
registration of the domain. *IF*THEY*CHOOSE*TO*. But, they, -currently- have
little-to-no incentive _to_ do so. Handling complaints, and cancelling domains
is, unfortunately, and 'added expense' to a registrar. If that expense can be
avoided, the "bottom line" looks better.

The registry operator has no financial incentive to penalize those from whom
it derives its revenues (i.e. the registrars). The truth of -that- statement
should be self-evident. Nor, at the current price-point, the resources to
verify the data presented.

The registrar suffers no penalties for the 'occasional' breach. And has
no compelling financial reason to 'throw good time/effort after bad' by
taking punitive action 'after the fact' -- by doing nothing, it is an
'avoidable expense' that improves bottom-line results.

Change the 'environment' -- so that it *IS* in the financial interest of
the registrars and registry operators to run a 'clean house', and the
issues of 'dirty operations' will disappear. One doesn't _have_ to worry
about 'how' to make it happen -- the 'interested parties' *will* figure that
out for themselves.

Registrars, and registry operators, are *NOT* 'altruistic' entities, however
much we might 'wish' that is the case. They are commercial entities, and,
as such, their own 'self-interest' is their _primary_ interest.

The current 'problem' is that what is 'best for those operators' is _not_
what is 'best for the community'.

The fix *IS* to 'change the rules' so that the 'self-interest' of those
'core players' _is_ aligned with what is 'best for the community'. The
simplest way to accomplish that is to make it 'more expensive' to "do it
wrong", than it is to "do it right".

This is stuff that one _should_ be able to 'sell' to ICANN, and get
incorporated (at the very worst) in the next round of registry-operator
renewal contracts, with 'pass through' to registrar contracts taking
effect in an additional 30 days, or so.

Structured right, making 'cleaning house' a _revenue_source_ for the
registry operator, and they will _very_likely_ "agree" to modification
of the existing contracts to spport the additional revenues. Meaning
that one would -not- have to wait for contract renewals to implement.

Not to belabor the obvious, but the Internet is a _co-operative_ venture.
There is *no* 'strong central authority' that can 'dictate' terms that
everyone must follow. What 'control' there is exists _only_ because
almost all the players _voluntarily_ agree to play by the same rules.
If enough players become 'dis-satisfied' with what the 'control' does,
then that authority will disappear, and be replaced by 'something else'.
"Comes the Revolution, things will be different -- not necessarily better,
but different" will apply. And there will be -no- going back, even if
people decide they -don't- like te revolutionary world better.

Reconize that what you are dealing with is a 'political' problem -- it's
roots are in the way _people_ behave. 'Technical' fixes to 'people' problems
are doomed -- the world will invent a more efficient fool.

> Address _these_ issues, and the domain names "problem" will effectively
> disappear.
> One _possible_ approach to dealing with the problem:
> 1) registry includes in it's contract with registrars a (non-trivial) $$
> penalty for any registration filed that is found to contain invalid
> information.

And work a bit harder to make sure the information is valid. This can mean
higher costs, of course.

You cannot mandate how hard somebody must work. It doesn't work. Make it
'expensive enough' to be wrong, and *then* they will make the necessary effort
to be 'right'.

> 2) 'formal complaints' to registrar about invalid information must
> include a 'filing fee' forthe complaint. If the complaint is
> in-accurate, the filer loses their filing fee. HOWEVER, if the
> complaint _is_ valid, the _original_ filer gets back _more_ than
> their fee (paid out of the 'fine', see item 1, above, assessed
> against the registrar) while any additional complainants get all
> their original money returned. Possible variation: the size of
> the fine assessed against the registrar for a 'confirmed' complaint
> depends on the number of complaints recieved within some
> 'reasonable' time of the first complaint -- and all complaints
> within that 'window' get the 'bounty' for a valid compliant.
> 3) Registrars are charged a _sliding-scale_ of fees, with higher fees
        based on the numbers and/or percentages of 'bogus' registrations
> submitted recently. (This is similar to the way 'unemployment
> taxes' are assessed in the U.S. If there are more claims against
> your company, you pay a higher rate than similar firms with lower
> claims.)
> 4) Registrars with higher rates of 'invalid' submissions are _rate-
> limited_ as to how fast they can submit registrations.

Bulk registration should be limited, or at the very least regulated.

Impossible to make effective. Too many big operations have legitimate basis
for registrering large numbers of domains. Usually on behalf of clients. You
cannot differentiate, _at_the_registry_operator_level_ between a submission of
10,000 names on behalf of 10,000 legitimate clients, and a submission of
10,000 names on behalf of 10,000 forged client-names, all controlled by the
same criminal entity.

You cannot rely on the 'good intentions' of registrars -- it is well known
that several registrars are controlled by 'bad guys'.

Suspending domains registered with a stolen CC (as mentioned) seems
natural, doesn't it?

Honest answer, "no". Does it accomplish anything? If a credit card has
-already- been reported stolen, and the registrar is doing real-time charge
authorization (and I don't know of any incompetent enough -not- to be so
doing), the domain registration fails.

OTOH, If the card has *not* been reported stolen, it is *weeks* before
the fact of the stolen card is _discovered_. With the 'professional bad
guys' only expecting to get a few days, to maybe one week, before the name
is widely blocked, cancelling the name weeks -later- will have no
significant effect.

So, just what 'benefit' does this "natural" idea buy?

The registry operator doesn't know (and doesn't care) how the registrant
paide the registrar. They don't have the information to investigate, or
act. And, they "don't care" -- they _have_ been paid, by the registrar,
whether or not the registrar got 'stiffed' by the registrant.

The registrar is _already_ out the registry fee for the domain, with no
possible further revenues from that customer account. _WHY_ should they
go to the 'extra expense' of spending the time/effort to cancel the domain
that is probably not even being used any more?

Something as 'trivial' as closed-loop e-mail confirmation (a la 'best
practice' for mailing-list sign-up) would likely have a much bigger impact
on fraudulent registrations. Especially if 'freemail', and 'anonymous'
accounts are not allowed to be used for 'confirmation'. An additional
requirement that the IP address from which the registration submission
originates have rDNS that is in the same domain as the confirmation address.
would go a *LONG* way towards providing some 'accoutability' in the domain
registration process.

One other alternative is to require a 'certificate' of identity (a la X.509)
to register a domain name. With a certificate "revocation" resulting in
automatic cancellation of all domains registered under it. This provides
a degree of tracability/accountability to the registration process, _and_
'raises the bar' for fraudulent operators, by tieing their operations
together, _or_ greatly increasing the lead-time _and_ cost of setting up
false-front domains.