[dns-operations] Another whitepaper on DDOS

Andrew Sullivan ajs at anvilwalrusden.com
Fri Feb 22 20:08:49 UTC 2013

On Fri, Feb 22, 2013 at 07:42:17PM +0000, Vernon Schryver wrote:
> > From: Lutz Donnerhacke <lutz at iks-jena.de>
> > But the errornous transfer of ebay.de would create a deasaster with DANE.
> In what way would DANE make the theft of a domain worse?

On top of all the excellent points Vernon makes about how DANE is no
worse, DANE gives you a couple mechanisms to make detection slightly
easier.  For the erroneous registrar or registrant transfer of the
domain name is reflected in the WHOIS (or, let's hope, the eventual
output of WEIRDS), so it's possible to see that the sponsorship of the
name has changed.  If it's merely all the name servers that have
changed, that too might be useful evidence that something is up.  None
of this is perfect, but it is surely more evidence that can be taken
into account.  And there's the obvious benefit that with DANE, you're
not stuck depending on every self-asserting trust vehicle that manages
to convince the browser vendors to put in an anchor.

I note that none of these mechanisms are built today, of course, but
there's no reason reputation systems couldn't develop based on DANE
along these lines, particularly if we get something like WEIRDS that
would allow profiling of some classes of behaviour without disclosing
all the PII that WHOIS does today.


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list