[dns-operations] Please contribute data to OARC!

Eric Brunner-Williams brunner at nic-naa.net
Sat Feb 6 15:29:50 UTC 2010


I suppose you'd like your question answered to the list on which you 
asked it.

During the summer of 2008 after the GNSO Fast Flux PDP Working Group 
began I initiated a conference call with James Bladel (GoDaddy), Paul 
Diaz (NetSol)and Kalman Feher (MIT).

At that time, what I will call the "retail security" advocates were 
pushing requirements for all registrars (regardless of whether they 
accepted credit card payments, highly corollated to zero cost resource 
acquisition, or even sold CNO inventory, with a similar corollation 
with exploit targets) to opperate 24x7 and perform take-downs on an 
unqualified assertion by unknown third-parties.

I proposed to James, Paul and Kalman that we look at root causes for 
FFHN, at rapid update, a subject I and others were concerned with when 
it was first offered, in 2004, and at admission control. That is, the 
c&c problem, and the bot inventory problem.

We agreed to a second call, inviting Chuck Gomes (VGRS) and Jeff 
Neuman (NeuStar) and possibly someone from Afilias, I don't recall, 
and in that call we discussed, without coming to a conclusion, rapid 
update (mod in particular) and the flux ecologies.

Not too long after Mike O'Conner, who chaired the WG, and I both ended 
our involvement in the WG. Mike's comments are in the public record 
and I suspect mine are as well. I deleted my list and side-bar email 

The decision to form an "Registry Internet Security Group" (RSIG) was 
one I was not a party to, and opposed its form -- a mix of some 
registries, uncommitted to ending add and mod operation temporal 
equivalence, and unrelated (to registry operations) third-parties 
dependent upon the ongoing absence of admission control.

That exhausts my first hand knowledge in the RSIG to which you've 
expressed an interest. If you think the RSIG has solved either of 
those two problems -- temporal equivalency of add and mod, or lack of 
admission control, removing one c&c mechanism and reducing the value 
of bot inventories, please let me know. For me, the trust anchor 
problem, both static and temporal, on the zone delegation side, and on 
the BGP side, has been a conceptual tool. You mileage may vary.

I'm sure there is a marketing value to it, if only from the 
requirement stated by the NYC DoITT in November 2009, upon guidance 
from the vendor selected through the May 2009 RFI process, which is a 
founder of that organization.

I've no idea why CORE was not invited to form the RSIG in the Fall of 

I suppose there are two fundamental approaches to a problem and its 
associated management institution: either limit the institutional 
members to those who have the problem, as the experience of those not 
affected by the problem can't be useful in responding to the symptoms 
of the root cause, or include within the institutional members those 
who do not have the problem, as the experience of those not affected 
by the problem may be illuminating as to the root causes of the problem.

Anyway, we don't offer rapid update, and a recent suggestion that we 
do so for a TLD zone with a retail price point several multiples of 
the CNO price point, so that "rapid takedown" is possible, strikes me 
as slightly absurd. I just don't see the fundamental business 
justification for rapid update, once the load balance and other bits 
of intentional temporal and spatial incoherence have been addressed.

I'm grateful you didn't argue for the necessity of registry operators 
joining the APWG. I have conversations with Rod at ICANN (or on planes 
to or from ICANN) and APWG has more than adequate access to ICANN 
meeting time. However, that doesn't mean APWG provides tools or 
methods that are fundamental to the protection of registry operations, 
which is my small personal concern as CTO of a registry operator, 
however incompetently conducted.


On 2/5/10 6:18 PM, Jay Daley wrote:
> On 6/02/2010, at 7:50 AM, Eric Brunner-Williams wrote:
>> In its 3rd addenda to its Request for Proposals to Obtain. Operate. Manage. Administer. Maintain and Market the Geographic Top Level Domain .nyc, the DoITT stated:
>> Contractor shall maintain an active membership in RISG (Registry Internet Security Group) registrysafety.org OARC (DNS Operations, Analysis&  Research Center) dns-oarc.org APWG (Ami Phishing Working Group) apwg.org
>> Passing on the marginal utility of the first and third requirement,
> Do you say that from a position of first hand knowledge?  I work extensively in RISG and I don't recall your involvement.  This is not the forum for me to go into the purpose of RISG and why it is both important and effective - but I will say that each group makes it own unique contribution and should be respected for that unless you have a good evidential reason for saying otherwise.
> Jay

More information about the dns-operations mailing list