North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: On-going Internet Emergency and Domain Names
> > at the other end, authority servers which means registries and registrars > > ought, as you've oft said, be more responsible about ripping down domains > > used by bad people. whether phish, malware, whatever. what we need is > > some kind of public shaming mechanism, a registrar wall of sheep if you > > will, to put some business pressure on the companies who enable this kind > > of evil. > > I have done public shaming in the past, as you know. I'd rather avoid it > if policy/technology can help out. technology can help someone protect their own assets. policy can help other people protect their assets. public shaming can motivate other people protect their own assets. YMMV. > Conversationally though, how would you suggest to proceed on that front? a push-pull. first, advance the current effort to get registrars and dynamic-dns providers to share information about bad CC#'s, bad customers, bad domains, whatever. arrange things so that a self-vetting society of both in-industry and ombudsmen have the communications fabric they need to behave responsibly. push hard on this, make sure everybody hears about it and that the newspapers are full of success stories about it. then, whenever there's a phish or malware domain whose dyndns provider or dns registrar is notified but takes no action, put it on the wall of shame. something akin to ROKSO would work. (in fact, spamhaus could *do* this.) make sure that the lack of responsible takedown is a matter of public record and that a sustained pattern of such irresponsibility is always objectively verifiable by independent observers who can each make independent judgements. > > fundamentally, this isn't a dns technical problem, and using dns > > technology to solve it will either not work or set a dangerous precedent. > > and since the data is authentic, some day, dnssec will make this kind of > > poison impossible. > > Not for the bad guys, unfortunately. :/ by "this kind of poison" i meant something that would be used by good guys to "whiteout" the domains needed/used by bad guys. it'll be inauthentic data, and if dnssec is ever launched, this kind of data will be transparently obviously inauthentic, and will just not be seen by the client population. so, yes, dnssec will end up helping the bad guys in that particular way.