Home / Blogs

How to Fix WHOIS - Part 2

Phillip Hallam-Baker

The key to fixing any part of the Internet infrastructure is to understand the business cases for the parties whose behavior you want to influence and design the technology accordingly. People who follow this approach (Sir Tim Berners-Lee and the World Wide Web) have a chance of succeeding. People who ignore it (DNSSEC, IPv6) will fail.

The root problem here is that the ICANN DNS does not differentiate between the parts of the Internet that are accountable and those that are not. And this is not an objective distinction and thus not a distinction that anyone should want ICANN or the registries to be involved in. Reforming WHOIS is simply a means to an end of establishing accountability, so lets focus on establishing accountability and cut to the chase.

Let us say I am a typical Internet user. Do I wish to connect up to every Internet domain whose owners pony up the registration fee or just the ones that are not likely to attempt to cause me harm?

People pay good money to be protected from the people who might try to cause harm. They pay for anti-virus 'solutions' and spam filters. The idea of a DNS service that filters out the malicious actors should not be objectionable. And even if it was, the end user has the right to make their own choice on the matter. This is the key, having the government (or focus on the family or ICANN) decide who I can connect to without my permission is censorship. Choosing someone to filter out the bad actors for me is personal security.

But, but, but, isn't that going to fracture the DNS root?

Not really, there are two types of fracture possible. The type of fracture that could be very damaging is the one where a domain name resolves to a different entity depending on where the question is asked. That creates ambiguity and a loss of accountability. There are scenarios in which such a fracture could occur in theory, but the consequences of such a fracture are sufficiently catastrophic to provide a deterrent.

The second type of fracture, one where a name may resolve in some circumstances but not others is not necessarily catastrophic. In fact in the context of the SCADA control systems on which I currently work it is positively desirable to establish a default-deny condition in which the only sites a controller can access are the ones that the administration has determined there is a good reason to grant access to.

I predict that over the next few years we are going to see increasing interest in this model of protection. It is relatively straightforward to deploy (just point the DNS server at the appropriate static IP address). We can add in a lightweight cryptographic authentication mechanism by extending TSIG. What matters to me in my enterprise is not that a network endpoint receives DNS records that ICANN trusts, all I care about is that it receives the DNS records that meet my trust criteria.

I may manage those trust criteria myself or choose an outsource provider.

Now let us imagine that people decide to do DNS security my way. How does the outsource trust manager evaluate sites? What information do they have available? What should they use?

The answer to the second question is going to depend on the application. For my industrial control systems I probably want to restrict the set of reachable nodes to ones that have EV certificates and accreditations for SCADA relevance. But for general web browsing we are likely to use a much looser set of criteria that uses feedback and heuristics. The same type of model we currently use to perform spam filtering.

In this model, obtaining a domain name from a registrar who fails to provide WHOIS service is going to result in a name that is less likely to be routable if failing to provide WHOIS service turns out to be a good predictor of being a malicious actor.

Isn't this what the WHOIS critics are really trying to achieve in the first place?

Note that this is a scheme that provides a business model for a service that can be delivered today by any party who decides to set up the infrastructure. The only real flaw in the business model being that the barriers to entry are rather low and it is rather likely to become a commodity in a short space of time. Google currently offers an open Internet service and filters its search results using data from stopbadware. It would be entirely logical for them to start offering a DNS service filtered in the same manner.

Read part 1 one this post here.

By Phillip Hallam-Baker, Consultant, Author, Speaker. More blog posts from Phillip Hallam-Baker can also be read here.

Related topics: DNS, ICANN, Internet Governance, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Why We Decided to Stop Offering Free Accounts

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

Dyn Acquires Managed DNS Provider Nettica

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

Afilias Joins Internet Technical Leaders in Welcoming IANA Globalization Progress

Why Managed DNS Means Secure DNS

DotConnectAfrica Trust Takes Its Case With ICANN to Independent Review Process (IRP) Panel

2013: A Year in Review, End of Year Message from DotConnectAfrica

TLDH Announces Sales Channel and gTLD Portfolio Update

Go-Live Schedule for Dot Chinese Online & Dot Chinese Website TLDs Announced

DotConnectAfrica Trust Attends ICANN 48 International Meeting in Buenos Aires, Argentina

TLDH Group Signs 6 New Top-Level Domain Contracts With ICANN

SPECIAL: Updates from the ICANN Meetings in Buenos Aires

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Pre-Delegation Testing for Dot Chinese Online (.在线) & Dot Chinese Website (.中文网) Begins

DotConnectAfrica Attends Transform Africa 2013 Summit in Rwanda

Motivated to Solve Problems at Verisign

Sponsored Topics