Isn’t security as important to discuss as .XSS?

The DNS has become an abuse infrastructure, it is no longer just a functional infrastructure. It is not being used by malware, phishing and other Bad Things [TM], it facilitates them.

Operational needs require the policy and governance folks to start taking notice.

It’s high time security got where it needs to be on the agenda, not just because it is important to consider security, but rather because lack of security controls made it a necessity.

In discussion of my latest post, some folks on NANOG raised interesting ideas, such as:

(these are displayed as I understood them)
1. Terminating domains found to be registered with stolen credit cards (raised by Chris Morrow)
2. Introducing a delay to registration (Douglas Otis)
3. Reviewing legacy engineering decisions (David Conrad)
4. A show of responsibility by Registries and Registrars to take care of bad domains (Paul Vixie)
5. Public shaming should be considered (Paul Vixie)
6. Closing the vulnerability with DNS should not be ignored just because bad guys will find something else to exploit (Hank Nussbacher)
7. Check out http://www.icann.org/participate/ (John Crain)

As well as other ideas and contributors. I won’t push my own here, there’s enough already up there to keep us busy for a while.

Whether these ideas are good remains to be seen, the fact is that we now discuss the issues.

Some other conclusions were that the domain registration system and process are a significant part of the current on-going abuse of the DNS infrastructure.

So, as important as the XXX TLD is, security should get as much attention, if not more.

It’s about the current policy which allows black hat registrars to exist (rather than controlling good ones - lower hanging fruit first?), as well as about the policy of registration and termination of domain names. It is about old policy no longer fitting today’s threats, and, to a limited fashion, technology which needs to be revamped.

Here is one of the latest emails in the NANOG thread, by me in reply to David Conrad. Things start to make sense now that flames and personal attacks have died down.

This email message is about ICANN’s role, if it is to have one, as well as about practical suggestions:

Date: Mon, 2 Apr 2007 21:02:46 -0500 (CDT)
From: Gadi Evron

To: David Conrad

Cc: [email protected]
Subject: ICANNs role [was: Re: On-going ...]

On Mon, 2 Apr 2007, David Conrad wrote:
> On Apr 1, 2007, at 8:45 AM, Gadi Evron wrote:
> > On Sun, 1 Apr 2007, David Conrad wrote:
> >> On Mar 31, 2007, at 8:44 PM, Gadi Evron wrote:
> >> I’m not clear what “this realm” actually is.
> > Abuse and Security (non infrastructure).
>
> Well, ICANN is supposed to look after the “security and stability” of
> the Internet, which is sufficiently vague and ambiguous to cover
> pretty much anything. I was actually looking for something a bit
> more concrete.

So you are the guys asleep at the guard post? :)

> The one concrete suggestion I’ve seen is to induce a delay in zone
> creation and publish a list of newly created names within the zone.
> The problem with this is that is sort of assumes:

What are your thoughts on basic suggestions such as:
1. Allowing registrars to terminate domains based on abuse, rather than just fake contact details.
2. Following these incidents as they happen so that YOU, in charge, can make these suggestion?
3. For true emergencies threatening the survivability of the system, shoudln’t we be able to black-list a domain in the core?
4. Black lists for providers are not perfect, but perhaps they could help protect users significantly?
5. Enforcing that registrars act in say, not a whitehat fashion, but a not blackhat fashion?
6. Yours here?

I can go to extremes in my suggestions, non are new:
1. Rather than terminate on fake details - verify details before a domain is registered. Not just the credit card, either.
2. Domains are a commodity, ICANN should know, what of putting them under a wider license on abuse and termination or suspension?

The whole system is almost completely unregulated, and this is money you take care of that we speak of here.

You have a long way to go before claiming to take care of the Internet. Please take that route if you believe you can. The Internet needs your help.

How about some funding for research projects? Getting involved and perhaps funding Incident response on a global scale?

Why does this have to be in the hands of volunteers, such as myself and hundreds of others?

Why does Internet security have to be in the hands of those with “good will” rather than those who are supposed to take care of it?

How about adding security to the main agenda along-side with the .xxx TLD?

I have no problem with ICANN, but there is a long way to go before you can claim to protect the Internet, infrastructure, users, or what’s in the middle. I’d encourage ICANN to take that road, much like I would encourage any person or organization that wants to help.

You were not here before when we needed you, so organizations like FIRST, the ISOTF and many good-will based groups were created. You are here now, how do we proceed?

What is ICANNs next step? I will support it, so will others. It’s not about politics as much as it is about who DOES. Maybe you just need to work with the community rather than claim to run it when you don’t really do anything in security quite yet.

> a) the registries all work on similar timescales
> b) that timescale is on the order of a day
> c) ICANN has a mechanism to induce the registries to make changes to
> those timescales
> d) making changes along these lines would be what end users actually
> want.
>
> Of these options:
>
> - (a) isn’t true (by observation)
> - (b) is currently true for com/net, but I don’t expect that to last
>—I’ve heard there is a lot of competitive pressure on the
> registries to be faster in doing zone modifications
> - (c) I don’t think is true now for even those TLDs ICANN has a
> contractual relationship with and is highly unlikely to ever be true
> for the vast majority of TLDs
> - (d) probably isn’t true, given lots of people complain about how
> long it takes to get zone changes done now and I believe registries
> are working to reduce the amount of time significantly due to
> customer demand.
>
> Even if a delay were imposed, I’m not sure I see how this would
> actually help as I would assume it would require folks to actually
> look at the list of newly created domains and discriminate between
> the ones that were created for good and the ones created for ill.
> How would one do this?

Well, if a domain was registered last month, last week, or 2 hours ago, and is used to send spam, host a phishing site or changes name servers that support phishing sites ALONE (nothing legit) in the thousands, or support the sending of billions of email messages burdening messaging across the board, I’d call it bad.

Who “one” is, now that is something to work out. We need help setting the system in place with guidelines and policies so that the one or other can start reporting and getting results.

Is ICANN willing to help?

> -drc

  Gadi.

>
> P.S. I should point out that IANA has only glancing interaction with
> the registry/registrar world, so I’m working from a large amount of
> ignorance here. Fortunately, being ignorant rarely stops me… :-)

Where do we go from here? If we do proceed, what legitimate business concerns stand to lose money? (or not earn as much?)