[dns-operations] Please contribute data to OARC!
brunner at nic-naa.net
Sat Feb 6 15:29:50 UTC 2010
I suppose you'd like your question answered to the list on which you
During the summer of 2008 after the GNSO Fast Flux PDP Working Group
began I initiated a conference call with James Bladel (GoDaddy), Paul
Diaz (NetSol)and Kalman Feher (MIT).
At that time, what I will call the "retail security" advocates were
pushing requirements for all registrars (regardless of whether they
accepted credit card payments, highly corollated to zero cost resource
acquisition, or even sold CNO inventory, with a similar corollation
with exploit targets) to opperate 24x7 and perform take-downs on an
unqualified assertion by unknown third-parties.
I proposed to James, Paul and Kalman that we look at root causes for
FFHN, at rapid update, a subject I and others were concerned with when
it was first offered, in 2004, and at admission control. That is, the
c&c problem, and the bot inventory problem.
We agreed to a second call, inviting Chuck Gomes (VGRS) and Jeff
Neuman (NeuStar) and possibly someone from Afilias, I don't recall,
and in that call we discussed, without coming to a conclusion, rapid
update (mod in particular) and the flux ecologies.
Not too long after Mike O'Conner, who chaired the WG, and I both ended
our involvement in the WG. Mike's comments are in the public record
and I suspect mine are as well. I deleted my list and side-bar email
The decision to form an "Registry Internet Security Group" (RSIG) was
one I was not a party to, and opposed its form -- a mix of some
registries, uncommitted to ending add and mod operation temporal
equivalence, and unrelated (to registry operations) third-parties
dependent upon the ongoing absence of admission control.
That exhausts my first hand knowledge in the RSIG to which you've
expressed an interest. If you think the RSIG has solved either of
those two problems -- temporal equivalency of add and mod, or lack of
admission control, removing one c&c mechanism and reducing the value
of bot inventories, please let me know. For me, the trust anchor
problem, both static and temporal, on the zone delegation side, and on
the BGP side, has been a conceptual tool. You mileage may vary.
I'm sure there is a marketing value to it, if only from the
requirement stated by the NYC DoITT in November 2009, upon guidance
from the vendor selected through the May 2009 RFI process, which is a
founder of that organization.
I've no idea why CORE was not invited to form the RSIG in the Fall of
I suppose there are two fundamental approaches to a problem and its
associated management institution: either limit the institutional
members to those who have the problem, as the experience of those not
affected by the problem can't be useful in responding to the symptoms
of the root cause, or include within the institutional members those
who do not have the problem, as the experience of those not affected
by the problem may be illuminating as to the root causes of the problem.
Anyway, we don't offer rapid update, and a recent suggestion that we
do so for a TLD zone with a retail price point several multiples of
the CNO price point, so that "rapid takedown" is possible, strikes me
as slightly absurd. I just don't see the fundamental business
justification for rapid update, once the load balance and other bits
of intentional temporal and spatial incoherence have been addressed.
I'm grateful you didn't argue for the necessity of registry operators
joining the APWG. I have conversations with Rod at ICANN (or on planes
to or from ICANN) and APWG has more than adequate access to ICANN
meeting time. However, that doesn't mean APWG provides tools or
methods that are fundamental to the protection of registry operations,
which is my small personal concern as CTO of a registry operator,
however incompetently conducted.
On 2/5/10 6:18 PM, Jay Daley wrote:
> On 6/02/2010, at 7:50 AM, Eric Brunner-Williams wrote:
>> In its 3rd addenda to its Request for Proposals to Obtain. Operate. Manage. Administer. Maintain and Market the Geographic Top Level Domain .nyc, the DoITT stated:
>> Contractor shall maintain an active membership in RISG (Registry Internet Security Group) registrysafety.org OARC (DNS Operations, Analysis& Research Center) dns-oarc.org APWG (Ami Phishing Working Group) apwg.org
>> Passing on the marginal utility of the first and third requirement,
> Do you say that from a position of first hand knowledge? I work extensively in RISG and I don't recall your involvement. This is not the forum for me to go into the purpose of RISG and why it is both important and effective - but I will say that each group makes it own unique contribution and should be respected for that unless you have a good evidential reason for saying otherwise.
More information about the dns-operations