Re: Govt refuses to disclose .gov domain names

[David Farber <dave () farber net>]

Begin forwarded message:

From: Steve Crocker <steve () shinkuro com>
Date: March 3, 2009 8:42:35 AM EST
To: dave () farber net
Cc: Steve Crocker <steve () shinkuro com>, "ip" <ip () v2 listbox com>
Subject: Re: [IP] Re:   Govt refuses to disclose .gov domain names

[Resending with small typo fixed]

Dave, et al,

When DNS was designed many years ago, there was no concern about  
disclosure of names within a subdomain.  Over a long period of time, a  
large portion of the community has come to consider this sensitive  
information.  I won't argue the merits here.  I am simply reporting a  
very clear shift in thinking that's taken place over a period of  
perhaps two decades.  In many countries, the top level domain  
operators cite privacy laws as their reason for not disclosing the  
domain names.

In the original design of DNSSEC, the security protocol for DNS, a  
side effect of the mechanism (NSEC) within the design that provides an  
authenticated declaration that a requested subdomain does not exist is  
an ability to walk the zone efficiently and learn the names of all the  
subdomains that do exist.  This side effect was deemed unacceptable in  
many quarters, leading to resistance to adopt DNSSEC and an additional  
round of design to create an alternative mechanism (NSEC3) to provide  
authenticated declaration of non-existence of a subdomain without  
disclosing the names of the existing neighbors of the requested name.   
Adding this additional mechanism has added a couple of years to the  
deployment of DNSSEC.

Your readers may choose to debate whether disclosure of subdomain  
names is or is not a security or privacy threat in general, or whether  
the U.S. Government should choose to disclose the subdomain names  
under .gov.  I am not addressing either of those questions here.    
What I am saying, however, is that this is not a new question, a large  
number of zone operators have spoken forcefully on this subject, and,  
to the surprise of the community that developed the DNS security  
protocol, the requirement to keep the zone contents private emerged  
late in the process and had to be accommodated.  All attempts to argue  
that this emergent requirement wasn't really needed -- and there were  
many -- failed.  For what it's worth, the .gov policy is the same as  
many European countries' policy and others around the world.

Steve



On Mar 3, 2009, at 3:59 AM, David Farber wrote:

> Begin forwarded message:
>
> From: "Yiorgos [George] Adamopoulos" <yiorgos () tee gr>
> Date: March 3, 2009 4:39:17 AM EST
> To: David Farber <dave () farber net>
> Cc: ip <ip () v2 listbox com>
> Subject: Re: [IP] Govt refuses to disclose .gov domain names
>
> On Tue, 3 Mar 2009, David Farber wrote:
> > The General Services Administration has made the rather surprising  
> > claim that it can’t reveal the list of .gov domains because doing  
> > so would represent a security risk:
> >
> > http://www.informationweek.com/news/showArticle.jhtml?articleID=215600330
>
> Interestingly engough I made a similar request to the .GR Hostmaster  
> for a list of .GR domain names, back in 2007.  The response that I  
> got was that it was prohibited by their security policy.
>
> What I can only speculate is, that given a list of domains, one can  
> easily create fairly accurate spam lists and spam all of them.   
> Depending the organization this may or may not seem like a  
> reasonable precaution.
>
> --
> #include <std/disclaimer.h>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com