[dns-operations] the real reason for ICANN's gTLD expansion seems to be...

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Dec 12 19:35:06 UTC 2017

> On Dec 12, 2017, at 8:11 AM, Phil Regnauld <regnauld at nsrc.org> wrote:
>> My $0.02, find some way to make initial domain acquisition be a
>> more costly longer commitment (perhaps with fees for remaining
>> years transferable between registrars to avoid registrar lock-in).
> 	I may be naive, but this bugs me as much as people complaining 
> 	that LetsEncrypt (including soon to be available wildcard certs)
> 	is somehow undermining the security of the Internet.
> 	If something is broken by design, say, SMTP authentication, or
> 	the whole idea of X.509 CAs, then complaining that more gTLDS
> 	or free TLS certs is making things worse is like saying that
> 	higher speed limits on the road make cars more dangerous (yeah,
> 	analogies suck).

Well, here we have apples and oranges.  Abuse of gTLDs by crooks is a
problem of economic externalities, and calls for an economic solution.
There's no reason to make domain ownership cheap for crooks who cycle
through (10s, 100s, ... of) thousands of domains.

I personally have no issues at all with LE issuing DV certificates to
all domains, trustworthy or otherwise.  TLS provides secure transport,
not an honest peer.  If some expect an honest peer, that's a problem
with misleading marketing, and the solution will require updated user
interfaces and training, that do not lull users into a false sense of

As for SMTP authentication (I assume you really mean message rather than
transport authentication), that's a difficult architectural issue. Email
delivery is asynchronous, and supports forwarding and redistribution via
lists, ...  And list users seem to really prize subject tags and footers
that break digital signatures.  No amount of message authentication tech
will stop scams so long as buying and dumping domains by the boatload is

Mind you, many receiving systems are taking matters into their own hands
and blocking a bunch of the new gTLDs wholesale.  If they also block
HTTP/HTTPS to those domains, or just configure their resolvers to block
resolution, we end up with a somewhat balkanized DNS, but at least some
economic consequences for gTLDs whose business model is primarily shady


More information about the dns-operations mailing list