nanog mailing list archives

Re: On-going Internet Emergency and Domain Names

From: Gadi Evron <ge () linuxbox org>
Date: Sat, 31 Mar 2007 22:27:35 -0500 (CDT)


On Sat, 31 Mar 2007, Paul Vixie wrote:

...
Back to reality and 2007:
In this case, we speak of a problem with DNS, not sendmail, and not bind.

As to blacklisting, it's not my favorite solution but rather a limited
alternative I also saw you mention on occasion. What alternatives do you
offer which we can use today?


on any given day, there's always something broken somewhere.

in dns, there's always something broken everywhere.

since malware isn't breaking dns, and since dns not a vector per se, the
idea of changing dns in any way to try to control malware strikes me as
a way to get dns to be broken in more places more often.

in practical terms, and i've said this to you before, you'll get as much
traction by getting people to switch from windows to linux as you'd get by
trying to poison dns.  that is, neither solution would be anything close to
universal.  that rules it out as an "alternative we can use today".

but, isp's responsible for large broadband populations could do this in their
recursion farms, and no doubt they will contact their dns vendors to find a
way.  BIND9, sadly, does not make this easy.  i'll make sure that poison at
scale makes the BIND10 feature list, since clustering is already coming.

at the other end, authority servers which means registries and registrars
ought, as you've oft said, be more responsible about ripping down domains
used by bad people.  whether phish, malware, whatever.  what we need is some
kind of public shaming mechanism, a registrar wall of sheep if you will, to
put some business pressure on the companies who enable this kind of evil.


I have done public shaming in the past, as you know. I'd rather avoid it
if policy/technology can help out.

Conversationally though, how would you suggest to proceed on that front?

fundamentally, this isn't a dns technical problem, and using dns technology
to solve it will either not work or set a dangerous precedent.  and since
the data is authentic, some day, dnssec will make this kind of poison
impossible.


Not for the bad guys, unfortunately. :/

        Gadi.

Current thread:

Re: On-going Internet Emergency and Domain Names, (continued)
- - - Re: On-going Internet Emergency and Domain Names Adrian Chadd (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Petri Helenius (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
    - RE: On-going Internet Emergency and Domain Names michael.dillon (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Hank Nussbacher (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Paul Vixie (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Roland Dobbins (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Florian Weimer (Mar 31)
    - redirect (Re: On-going Internet Emergency and Domain Names ) Paul Vixie (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Paul Vixie (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Matt Ghali (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
    - Re: On-going Internet Emergency and Domain Names Jon R. Kibler (Mar 31)
  - Re: On-going Internet Emergency and Domain Names Florian Weimer (Mar 31)
- RE: On-going Internet Emergency and Domain Names Fergie (Mar 31)
  - RE: On-going Internet Emergency and Domain Names william(at)elan.net (Mar 31)
    - RE: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
  - RE: On-going Internet Emergency and Domain Names Matt Ghali (Mar 31)
    - RE: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)

(Thread continues...)