The key to fixing any part of the Internet infrastructure is to understand the business cases for the parties whose behavior you want to influence and design the technology accordingly. People who follow this approach (Sir Tim Berners-Lee and the World Wide Web) have a chance of succeeding. People who ignore it (DNSSEC, IPv6) will fail.

The root problem here is that the ICANN DNS does not differentiate between the parts of the Internet that are accountable and those that are not. And this is not an objective distinction and thus not a distinction that anyone should want ICANN or the registries to be involved in. Reforming WHOIS is simply a means to an end of establishing accountability, so lets focus on establishing accountability and cut to the chase.

Let us say I am a typical Internet user. Do I wish to connect up to every Internet domain whose owners pony up the registration fee or just the ones that are not likely to attempt to cause me harm?

People pay good money to be protected from the people who might try to cause harm. They pay for anti-virus ‘solutions’ and spam filters. The idea of a DNS service that filters out the malicious actors should not be objectionable. And even if it was, the end user has the right to make their own choice on the matter. This is the key, having the government (or focus on the family or ICANN) decide who I can connect to without my permission is censorship. Choosing someone to filter out the bad actors for me is personal security.

But, but, but, isn’t that going to fracture the DNS root?

Not really, there are two types of fracture possible. The type of fracture that could be very damaging is the one where a domain name resolves to a different entity depending on where the question is asked. That creates ambiguity and a loss of accountability. There are scenarios in which such a fracture could occur in theory, but the consequences of such a fracture are sufficiently catastrophic to provide a deterrent.

The second type of fracture, one where a name may resolve in some circumstances but not others is not necessarily catastrophic. In fact in the context of the SCADA control systems on which I currently work it is positively desirable to establish a default-deny condition in which the only sites a controller can access are the ones that the administration has determined there is a good reason to grant access to.

I predict that over the next few years we are going to see increasing interest in this model of protection. It is relatively straightforward to deploy (just point the DNS server at the appropriate static IP address). We can add in a lightweight cryptographic authentication mechanism by extending TSIG. What matters to me in my enterprise is not that a network endpoint receives DNS records that ICANN trusts, all I care about is that it receives the DNS records that meet my trust criteria.

I may manage those trust criteria myself or choose an outsource provider.

Now let us imagine that people decide to do DNS security my way. How does the outsource trust manager evaluate sites? What information do they have available? What should they use?

The answer to the second question is going to depend on the application. For my industrial control systems I probably want to restrict the set of reachable nodes to ones that have EV certificates and accreditations for SCADA relevance. But for general web browsing we are likely to use a much looser set of criteria that uses feedback and heuristics. The same type of model we currently use to perform spam filtering.

In this model, obtaining a domain name from a registrar who fails to provide WHOIS service is going to result in a name that is less likely to be routable if failing to provide WHOIS service turns out to be a good predictor of being a malicious actor.

Isn’t this what the WHOIS critics are really trying to achieve in the first place?

Note that this is a scheme that provides a business model for a service that can be delivered today by any party who decides to set up the infrastructure. The only real flaw in the business model being that the barriers to entry are rather low and it is rather likely to become a commodity in a short space of time. Google currently offers an open Internet service and filters its search results using data from stopbadware. It would be entirely logical for them to start offering a DNS service filtered in the same manner.

Read part 1 one this post here.