Mandatory Notifications are Ineffective and Risky

[Daniel Karrenberg <daniel.karrenberg@xxxxxxxx>]

ICANN should neither mandate nor recommend that registry operators "notify the 
point of contacts of IP addresses that issue DNS requests for an un-delegated 
TLD or names under it".  Such notifications will not be effective and pose a 
significant risk for abuse.

The notifications will not be effective because they will typically not reach 
the party that is potentially at risk. It will take too many actors and too 
much work to get the messages there.  The RIR databases do not list contact 
information for the party issuing the queries. This party will normally be 
reached only after a significant number of indirections. As the proposal 
correctly notes, one cause of indirection are recursive resolvers. Frequently 
there are several recursive resolvers involved before the query reaches the TLD 
name servers; a common example of this is a local resolver that is configured 
to use the resolver of an ISP or corporate network. Further levels of 
indirection are added by the hierarchical allocation of IP addresses; the RIR 
databases typically only contain one level of this hierarchy. Some IP addresses 
are also allocated dynamically to end-users, adding a time element. 

Each actor in the chain will have to do some work in order to determine where 
to forward it. Often the amount of this work is significant as it involves the 
searching of operational logs in order to identify the origin of the query or 
the party using the IP address at the time. Current operational experience 
suggests that it is extremely unlikely that in a typical case all actors 
involved in a notification chain will decide that passing on the message is 
worth their effort. Most notifications will thus not even reach the party at 
risk. To the contrary, a blanket mandate by ICANN to notify each and every 
querier will likely cause a backlash effect towards ICANN, the registry 
operator and other parties involved.

Mandatory notifications also pose a significant risk for abuse since queries 
that trigger a notification can easily be forged. Because of the nature of the 
DNS protocol, the existence of many open resolvers and the lack of source 
address checking by many Internet operators, it is extremely easy to send 
arbitrary DNS queries with freely chosen source IP addresses to the TLD name 
servers of a registry operator.  In this way anyone can cause the registry 
operator to send an arbitrary amount of mandatory notifications to any holder 
of IP address space. It will be highly impractical to detect such attacks or 
find their source by technical means. On the other hand there are quite a 
number of motivations for such an attack directed at the recipient or the 
sender of the notifications. The backlash towards the registry operator, ICANN 
and other parties in the chain will be even more severe once the volume 
increases and when it turns out that the notifications are for "non-existing" 
queries.

ICANN should also consider that issuing many notifications will reduce the 
effectiveness of future warnings about more important risks.

Thus ICANN should not mandate notifications as proposed.

Daniel Karrenberg
Chief Scientist
RIPE NCC
~
~
~
~
~