Home / Blogs

How to Fix WHOIS - Part 2

Phillip Hallam-Baker

The key to fixing any part of the Internet infrastructure is to understand the business cases for the parties whose behavior you want to influence and design the technology accordingly. People who follow this approach (Sir Tim Berners-Lee and the World Wide Web) have a chance of succeeding. People who ignore it (DNSSEC, IPv6) will fail.

The root problem here is that the ICANN DNS does not differentiate between the parts of the Internet that are accountable and those that are not. And this is not an objective distinction and thus not a distinction that anyone should want ICANN or the registries to be involved in. Reforming WHOIS is simply a means to an end of establishing accountability, so lets focus on establishing accountability and cut to the chase.

Let us say I am a typical Internet user. Do I wish to connect up to every Internet domain whose owners pony up the registration fee or just the ones that are not likely to attempt to cause me harm?

People pay good money to be protected from the people who might try to cause harm. They pay for anti-virus 'solutions' and spam filters. The idea of a DNS service that filters out the malicious actors should not be objectionable. And even if it was, the end user has the right to make their own choice on the matter. This is the key, having the government (or focus on the family or ICANN) decide who I can connect to without my permission is censorship. Choosing someone to filter out the bad actors for me is personal security.

But, but, but, isn't that going to fracture the DNS root?

Not really, there are two types of fracture possible. The type of fracture that could be very damaging is the one where a domain name resolves to a different entity depending on where the question is asked. That creates ambiguity and a loss of accountability. There are scenarios in which such a fracture could occur in theory, but the consequences of such a fracture are sufficiently catastrophic to provide a deterrent.

The second type of fracture, one where a name may resolve in some circumstances but not others is not necessarily catastrophic. In fact in the context of the SCADA control systems on which I currently work it is positively desirable to establish a default-deny condition in which the only sites a controller can access are the ones that the administration has determined there is a good reason to grant access to.

I predict that over the next few years we are going to see increasing interest in this model of protection. It is relatively straightforward to deploy (just point the DNS server at the appropriate static IP address). We can add in a lightweight cryptographic authentication mechanism by extending TSIG. What matters to me in my enterprise is not that a network endpoint receives DNS records that ICANN trusts, all I care about is that it receives the DNS records that meet my trust criteria.

I may manage those trust criteria myself or choose an outsource provider.

Now let us imagine that people decide to do DNS security my way. How does the outsource trust manager evaluate sites? What information do they have available? What should they use?

The answer to the second question is going to depend on the application. For my industrial control systems I probably want to restrict the set of reachable nodes to ones that have EV certificates and accreditations for SCADA relevance. But for general web browsing we are likely to use a much looser set of criteria that uses feedback and heuristics. The same type of model we currently use to perform spam filtering.

In this model, obtaining a domain name from a registrar who fails to provide WHOIS service is going to result in a name that is less likely to be routable if failing to provide WHOIS service turns out to be a good predictor of being a malicious actor.

Isn't this what the WHOIS critics are really trying to achieve in the first place?

Note that this is a scheme that provides a business model for a service that can be delivered today by any party who decides to set up the infrastructure. The only real flaw in the business model being that the barriers to entry are rather low and it is rather likely to become a commodity in a short space of time. Google currently offers an open Internet service and filters its search results using data from stopbadware. It would be entirely logical for them to start offering a DNS service filtered in the same manner.

Read part 1 one this post here.

By Phillip Hallam-Baker, Consultant, Author, Speaker. More blog posts from Phillip Hallam-Baker can also be read here.

Related topics: DNS, ICANN, Internet Governance, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN Los Angeles Recap Webinar

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Auctions Update: MMX Wins .law and .vip

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Nominum Announces Future Ready DNS

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

Dyn Acquires Internet Intelligence Company, Renesys

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

DotConnectAfrica Delegates Attend the KHRC Internet & Human Rights Breakfast Roundtable in Nairobi

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNS Security

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign