Latest news of the domain name industry

Recent Posts

Vixie takes on ISC chief scientist role

Kevin Murphy, January 7, 2011, Domain Tech

Internet Systems Consortium president Paul Vixie plans to address a “perfect storm” of internet addressing “crises” by becoming the organization’s chairman and chief scientist.

Vixie founded the not-for-profit ISC, which provides BIND – the software that runs most of the domain name system – in 1994. He will be replaced as president by Barry Greene.

Not known for mincing words, Vixie said in brief ISC statement today:

There are two huge technical crises arising simultaneously. The Internet is running out of address space and at the same time the level of criminal activity is increasing sharply. It’s the perfect storm. We need to deploy IPv6 and DNSSEC more or less simultaneously, and we need to develop and deploy, quickly, new technologies and new methodologies to measure and understand what is happening out there. I need to turn my full attention to these pressing and difficult problems, and I know that ISC will be in good hands with Barry as president.

Vixie declares war on domain name crooks

Kevin Murphy, July 30, 2010, Domain Tech

Bad news for domain name speculators?

Paul Vixie of the Internet Systems Consortium has plans to bring the equivalent of an anti-spam blacklist to the DNS itself.

The Response Policy Zones spec, drafted by Vixie and Vernon Schryver of Rhyolite, is designed to allow ISPs, for example, to block domains based on standardized reputation data.

In this blog post, Vixie writes that the next version of BIND will include the technology. ISC has also made patches available for those who want to test RPZ now.

This kind of technology has been available for mail servers for years, and can be found to an extent in desktop software and search engines, but RPZ would bake it into the DNS itself.

For users behind a recursive name server implementing RPZ, domains with bad reputations would either not resolve or would be redirected elsewhere.

It would not, however, provide a mechanism to wildcard non-existent domain data and bounce surfers to search/advertising pages. Many ISPs already do that anyway.

If you speculate at all in domain names, the opening paragraphs are probably the most interesting part of the post (my emphasis):

Most new domain names are malicious.

I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators.

I’m sure there’s a fair few law-abiding speculators reading this who won’t be happy being lumped in with criminals and spammers.

Luckily for them, Vixie said that the ISC will limit itself to providing the technology and the specification; it will not act as a reputation service provider.

The ISC is the Microsoft of the DNS, BIND its Windows, so we could expect a fairly broad level of adoption when the technology becomes available.

Vixie’s post, also published at CircleID, is well worth a read. If anything, it certainly goes a way to cement Vixie’s reputation as the grumpy old man of the DNS.

Politics at play in DNS CERT debate

Kevin Murphy, April 12, 2010, Domain Policy

ICANN chief Rod Beckstrom may have shot himself in the foot when he claimed at the Nairobi meeting that the domain name system is “under attack” and “could stop at any given point in time”.

Beckstrom wants ICANN to create a new CERT, Computer Emergency Response Team, to coordinate DNS security, but he’s now seeing objections from country-code domain managers, apparently connected to his remarks last month.

Chris Disspain of auDA, Australia’s .au registry, has just filed comments on behalf of the ccNSO council, which he chairs, saying it’s not clear whether there’s any need for a DNS CERT, and that ICANN is moving too fast to create one.

It’s pretty clear from the ccNSO statement that Hot Rod’s fairly blunt remarks at the GAC meeting in Nairobi, which I transcribed in full here, have influenced the ccNSO’s thinking on the matter:

the comments of ICANN’s CEO and President, Rod Beckstrom, to governmental representatives in Nairobi, have the potential to undermine the productive relationships established under ICANN’s multi-stakeholder model, cause damage to the effective relationships that many ccTLD operators have developed with their national administrations and discounted the huge efforts of many in the ICANN and broader security community to ensure the ongoing security and stability of the Internet

Disspain had already strongly written to Beckstrom, during the ICANN meeting, calling his comments “inflammatory” and reiterating some of the points made in the latest ccNSO filing.

Beckstrom’s response to Disspain’s first letter is here. I would characterize it as a defense of his position.

It seems pretty crazy that something as important as the DNS has no official security coordination body but, as Disspain points out, there are already some organizations attempting to tackle the role.

DNS-OARC, for example, was set up to fulfill the functions of a DNS CERT. However, as founder Paul Vixie confessed, it has so far failed to do so. Vixie thinks energies would be better spent fixing DNS-OARC, rather than creating a new body.

ICANN’s comments period on its DNS CERT business case is open for another couple of days. It’s so far attracted only a handful of comments, mostly skeptical, mostly filed by ccTLD operators and mostly suggesting that other organizations could handle the task better.

If Beckstrom’s aim in Nairobi was to reignite the debate and Get Stuff Done by scaring stakeholders into action, he may find he’s been successful.

However, if his aim was to place ICANN at the center of the new security initiative, he may ultimately live to regret his remarks.

Either way, I expect DNS security will eventually improve as a result.