North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: summarising [was: Re: ICANNs role]
> > If you're going to do any vetting, the time to do it is at > > registration, > > not at crunch time. > > The bulk of the discussion over the past few days was directed at the > practice of rapid updates of BRAND NEW DOMAIN NAMES. Clearly this is > entirely separate from the issue of updating information for an > established domain name. So... the obvious solution is to start requiring all sorts of odd and strange vetting requirements? I can't even figure out what problem that is trying to solve. The problem of rapid updates for brand new domain names is not entirely separate from that of established ones. In many cases, established ones can be caught at auction and the created date never gets updated. Further, in the future, if you think about what the response is likely to be, those who are doing bad things will simply allow their domains to age the necessary year (or whatever) to get around your differentiation between "new" and "established." So really this boils down to limiting automated updates to nameservers. "I believe I made that suggestion previously." Hmm. > > Designing a system which doesn't allow for some level of > > anonymity (let's > > say for whistleblower/bloggers) requires some serious debate that goes > > far beyond "what are the security implications." > > That is really a separate issue. Not really, but it requires a broad view of the bigger picture. > This discussion is about limiting the > damage caused by domains which do rapid NS switching. If we know which > domains are new, DNS operators could put them on probation and only > allow a minimum TTL of 1 day on those names. The domain owner can still > switch NSes but the queries won't chase him, therefore he will sell less > product and quickly stop doing NS switching. If he's not NS switching > then it is easier to track him down, blackhole him, filter him, > whatever. Expecting all (or even a significant fraction) of the DNS operators in the world to do this in order to combat phishing is simply insane. If that's what you're suggesting, I'll counterpropose space based lasers with HAL9000 intelligences to roast the culprits off the face of the earth. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.