Home / Blogs

How to Fix WHOIS - Part 2

Phillip Hallam-Baker

The key to fixing any part of the Internet infrastructure is to understand the business cases for the parties whose behavior you want to influence and design the technology accordingly. People who follow this approach (Sir Tim Berners-Lee and the World Wide Web) have a chance of succeeding. People who ignore it (DNSSEC, IPv6) will fail.

The root problem here is that the ICANN DNS does not differentiate between the parts of the Internet that are accountable and those that are not. And this is not an objective distinction and thus not a distinction that anyone should want ICANN or the registries to be involved in. Reforming WHOIS is simply a means to an end of establishing accountability, so lets focus on establishing accountability and cut to the chase.

Let us say I am a typical Internet user. Do I wish to connect up to every Internet domain whose owners pony up the registration fee or just the ones that are not likely to attempt to cause me harm?

People pay good money to be protected from the people who might try to cause harm. They pay for anti-virus 'solutions' and spam filters. The idea of a DNS service that filters out the malicious actors should not be objectionable. And even if it was, the end user has the right to make their own choice on the matter. This is the key, having the government (or focus on the family or ICANN) decide who I can connect to without my permission is censorship. Choosing someone to filter out the bad actors for me is personal security.

But, but, but, isn't that going to fracture the DNS root?

Not really, there are two types of fracture possible. The type of fracture that could be very damaging is the one where a domain name resolves to a different entity depending on where the question is asked. That creates ambiguity and a loss of accountability. There are scenarios in which such a fracture could occur in theory, but the consequences of such a fracture are sufficiently catastrophic to provide a deterrent.

The second type of fracture, one where a name may resolve in some circumstances but not others is not necessarily catastrophic. In fact in the context of the SCADA control systems on which I currently work it is positively desirable to establish a default-deny condition in which the only sites a controller can access are the ones that the administration has determined there is a good reason to grant access to.

I predict that over the next few years we are going to see increasing interest in this model of protection. It is relatively straightforward to deploy (just point the DNS server at the appropriate static IP address). We can add in a lightweight cryptographic authentication mechanism by extending TSIG. What matters to me in my enterprise is not that a network endpoint receives DNS records that ICANN trusts, all I care about is that it receives the DNS records that meet my trust criteria.

I may manage those trust criteria myself or choose an outsource provider.

Now let us imagine that people decide to do DNS security my way. How does the outsource trust manager evaluate sites? What information do they have available? What should they use?

The answer to the second question is going to depend on the application. For my industrial control systems I probably want to restrict the set of reachable nodes to ones that have EV certificates and accreditations for SCADA relevance. But for general web browsing we are likely to use a much looser set of criteria that uses feedback and heuristics. The same type of model we currently use to perform spam filtering.

In this model, obtaining a domain name from a registrar who fails to provide WHOIS service is going to result in a name that is less likely to be routable if failing to provide WHOIS service turns out to be a good predictor of being a malicious actor.

Isn't this what the WHOIS critics are really trying to achieve in the first place?

Note that this is a scheme that provides a business model for a service that can be delivered today by any party who decides to set up the infrastructure. The only real flaw in the business model being that the barriers to entry are rather low and it is rather likely to become a commodity in a short space of time. Google currently offers an open Internet service and filters its search results using data from stopbadware. It would be entirely logical for them to start offering a DNS service filtered in the same manner.

Read part 1 one this post here.

By Phillip Hallam-Baker, Consultant, Author, Speaker. More blog posts from Phillip Hallam-Baker can also be read here.

Related topics: DNS, ICANN, Internet Governance, Whois


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

2016 U.S. Election: An Internet Forecast

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

What Holds Firms Back from Choosing Cloud-Based External DNS?

United States Court Has Granted an Interim Relief for DCA Trust on .Africa gTLD

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica