Re: On-going Internet Emergency and Domain Names

North American Network Operators Group

Re: On-going Internet Emergency and Domain Names

From: Douglas Otis
Date: Mon Apr 02 22:48:46 2007

On Apr 2, 2007, at 6:29 PM, David Conrad wrote:

On Apr 1, 2007, at 8:45 AM, Gadi Evron wrote:
On Sun, 1 Apr 2007, David Conrad wrote:
On Mar 31, 2007, at 8:44 PM, Gadi Evron wrote:
I'm not clear what "this realm" actually is.
Abuse and Security (non infrastructure).
Well, ICANN is supposed to look after the "security and stability" of the Internet, which is sufficiently vague and ambiguous to cover pretty much anything. I was actually looking for something a bit more concrete.

The one concrete suggestion I've seen is to induce a delay in zone creation and publish a list of newly created names within the zone. The problem with this is that is sort of assumes:

a) the registries all work on similar timescales b) that timescale is on the order of a day c) ICANN has a mechanism to induce the registries to make changes to those timescales d) making changes along these lines would be what end users actually want.

Of these options:

- (a) isn't true (by observation) - (b) is currently true for com/net, but I don't expect that to last -- I've heard there is a lot of competitive pressure on the registries to be faster in doing zone modifications - (c) I don't think is true now for even those TLDs ICANN has a contractual relationship with and is highly unlikely to ever be true for the vast majority of TLDs - (d) probably isn't true, given lots of people complain about how long it takes to get zone changes done now and I believe registries are working to reduce the amount of time significantly due to customer demand.

Even if a delay were imposed, I'm not sure I see how this would actually help as I would assume it would require folks to actually look at the list of newly created domains and discriminate between the ones that were created for good and the ones created for ill. How would one do this?

Good points.

The suggestion was to preview the addition of domains 24 hours in advance of being published. This can identify look-alike and cousin domain exploits, and establish a watch list when necessary. A preview provides valuable information for tracking bad actors and for setting up more effective defenses as well.

Should a 24 hour delay on updates prove unworkable, one method might be to flag new domains. The flag would cause the record to remain hidden until the flag is removed. Perhaps IN could be set to something else as a signal the record is being previewed. The registrar would not see the flag, but would see the information as it would appear when finally published. Nothing should appear different from the registrar's perspective. It would also be good to establish feeds to interested parties of modifications as they occur.

Currently domain name additions are accomplished in milli-seconds, but then reported after 24 hours. This agility is being heavily abused by bad actors hiding within the daily churn of millions of new domains. A preview mode of operation offers a viable defensive tactic that should not impose much in the way of additional costs.

-Doug

Follow-Ups:
- Re: On-going Internet Emergency and Domain Names Patrick Giagnocavo

References:
- Re: On-going Internet Emergency and Domain Names Gadi Evron
- Re: On-going Internet Emergency and Domain Names David Conrad

Prev by Date: what registrars need to do with no incentive [was: Re: On-going ..]
Next by Date: Re: On-going Internet Emergency and Domain Names
Date Index
Thread Index
Author Index
Historical