|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: summarising [was: Re: ICANNs role]
> No one wants to wait for security checks while browsing. This > information must be preprocess and "at the ready", or the Internet > starts to feel rather slow and broken. By slowing down registry > updates and even providing a preview of upcoming changes will allow > security to become much faster in providing comprehensive answers, > and make browsing seem unimpaired (as it should be). > > There is no need for rapidly unannounced updates by the registries. That simply isn't true. It is more reasonable to say that "there is no need for rapid /and/ frequent updates" and to put some limits in place. One fine day, I got involved with an ISP client handling a most unusual situation. They had been contacted by some folks at United Media who were in a panic because they had botched a registry update, putting in IP addresses that did not work. As it happens, one of the IP's in question was in an outsourced dial pool in Rockford, IL (IIRC - maybe Beloit) and they had the imagination to call the ISP in question. We set up a static IP, dialed in, and watched port 53 data stream in at the full line speed. Everyone in the world who was looking for Dilbert and other United Media properties was of course talking to resolvers that were in turn banging on that IP. Well, answering with much larger packets through the dialup wasn't practical, and the ISP's upstreams had ingress filtering, but I did manage to set up a VPN over to our networks where we control our own filtering and our upstreams didn't do any ingress. We ended up fixing them a handful of hours after their error. We watched the DNS traffic dwindle over the next two days, and eventually hung up. ;-) Obviously they had updated their info as soon as they could, but the .com zone wasn't updated for almost another day (or was it two?) Now, the reality is, accidents do happen. However, they happen infrequently enough that you probably do not need to be able to change your nameservers through the web interface and have them reflected 5 seconds later. I do think that it would be very valuable to have the capability to call someone at a registrar to deal with issues like this for the infrequent times that it is needed, or perhaps allow one such change per week(?) through the web interface. Let us not get so intent on "getting the bad guy" that we damage the innocent at the same time. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
|