> No one wants to wait for security checks while browsing. This
> information must be preprocess and "at the ready", or the Internet
> starts to feel rather slow and broken. By slowing down registry
> updates and even providing a preview of upcoming changes will allow
> security to become much faster in providing comprehensive answers,
> and make browsing seem unimpaired (as it should be).
> There is no need for rapidly unannounced updates by the registries.
That simply isn't true.
It is more reasonable to say that "there is no need for rapid /and/
frequent updates" and to put some limits in place.
One fine day, I got involved with an ISP client handling a most unusual
situation. They had been contacted by some folks at United Media who
were in a panic because they had botched a registry update, putting in
IP addresses that did not work. As it happens, one of the IP's in
question was in an outsourced dial pool in Rockford, IL (IIRC - maybe
Beloit) and they had the imagination to call the ISP in question.
We set up a static IP, dialed in, and watched port 53 data stream in at
the full line speed. Everyone in the world who was looking for Dilbert
and other United Media properties was of course talking to resolvers
that were in turn banging on that IP.
Well, answering with much larger packets through the dialup wasn't
practical, and the ISP's upstreams had ingress filtering, but I did
manage to set up a VPN over to our networks where we control our own
filtering and our upstreams didn't do any ingress. We ended up fixing
them a handful of hours after their error. We watched the DNS traffic
dwindle over the next two days, and eventually hung up. ;-)
Obviously they had updated their info as soon as they could, but the
.com zone wasn't updated for almost another day (or was it two?)
Now, the reality is, accidents do happen. However, they happen
infrequently enough that you probably do not need to be able to
change your nameservers through the web interface and have them
reflected 5 seconds later. I do think that it would be very valuable
to have the capability to call someone at a registrar to deal with
issues like this for the infrequent times that it is needed, or
perhaps allow one such change per week(?) through the web interface.
Let us not get so intent on "getting the bad guy" that we damage the
innocent at the same time.