On Tue, 3 Apr 2007, Fergie wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> [top-posting to maintain the entire context below]
> 
> I think Doug makes some good points here (with the exception of
> number 6)...

I just posted this, and I believe it makes sense:

Title: Put Security Alongside .XXX

Isn't security as important to discuss as .XSS?

The DNS has become an abuse infrastructure, it is no longer just a
functional infrastructure. It is not being used by malware, phishing and
other Bad Things [TM], it facilitates them.

Operational needs require the policy and governance folks to start taking
notice.

It's high time security got where it needs to be on the agenda, not just
because it is important to consider security, but rather because lack of
security controls made it a necessity.

In discussion of my latest post, some folks on NANOG raised interesting
ideas, such as:

(these are displayed as I understood them)
1. Terminating domains found to be registered with stolen credit cards
(raised by Chris Morrow)
2. Introducing a delay to registration (Douglas Otis)
3. Reviewing legacy engineering decisions (David Conrad)
4. A show of responsibility by Registries and Registrars to take care of
bad domains (Paul Vixie)
5. Public shaming should be considered (Paul Vixie)
6. Closing the vulnerability with DNS should not be ignored just because
bad guys will find something else to exploit (Hank Nussbacher)
7. Check out http://www.icann.org/participate/ (John Crain)

As well as other ideas and contributors. I won't push my own here, there's
enough already up there to keep us busy for a while.

Whether these ideas are good remains to be seen, the fact is that we now
discuss the issues.

Some other conclusions were that the domain registration system and
process are a significant part of the current on-going abuse of the DNS
infrastructure.

So, as important as the XXX TLD is, security should get as much attention,
if not more.

It's about the current policy which allows black hat registrars to exist
(rather than controlling good ones - lower hanging fruit first?), as well
as about the policy of registration and termination of domain names. It is
about old policy no longer fitting today's threats, and, to a limited
fashion, technology which needs to be revamped.

Here is one of the latest emails in the NANOG thread, by me in reply to
David Conrad. Things start to make sense now that flames and personal
attacks have died down. 

[previous NANOG post here]

Where do we go from here? If we do proceed, what legitimate business
concerns stand to lose money? (or not earn as much?)

Gadi Evron,
[EMAIL PROTECTED]

Reply via email to