Submission of Packet Clearing House on the matter of the GNSO's report on fast flux
Packet Clearing House is a not-for-profit global authoritative DNS infrastructure provider to nearly sixty top-level domains, operating servers on six continents. We would like to make a point as-yet unconsidered in the GNSO's report on fast-flux. Over the past two or three years, botnet operators' demand for support of fast-flux capability has been laundered upwards, via registrars who are too happy to take their money, to registries who are compelled to provide the same services to everyone, black-hat and white-hat alike. This has led to a radical change of paradigm in the distribution of DNS record changes from registries to their authoritative nameservers. Whereas the majority of registries used to publish zone updates on, at most, a daily basis, many now flood the network with a constant stream of updates, and consider propagation delays of more than a few seconds problematic. This has worsened the digital divide by dealing two blows to the portions of the world that do not enjoy cheap and plentiful connectivity. First, accepting this flood of illegitimate changes poses a cost in Internet bandwidth, and ultimately money, to anyone who would spread authoritative nameservers among developing countries. It consumes a scarce resource, competing with both legitimate DNS update traffic and with all other forms of Internet use that could otherwise avail themselves of that connectivity to the rest of the world. Worse, because it floods constricted circuits, it can cause incremental zone transfer processes to fail, taking servers offline for hours or days at a time while they're resynchronized. These costs and strictures are imposed upon the poorest countries in the world, who simultaneously have the highest costs for bandwidth. Second, the price that fast-flux operators extract from registries comes in the form of Service Level Agreements, or SLAs, requiring registries to provide no service, in preference to normal non-fast- flux-supporting service, when that choice is encountered. In the past, default six-week zone expiry times ensured that those who were cut off from general Internet access, but had the forethought to prepare by equipping themselves with local authoritative servers, could at least rely upon functional DNS during the time of their disconnection. That is no longer the case. SLAs catering to the fast- flux market now promise that DNS servers will be purposely removed from service if they're unable to keep up with, or lose connectivity from, the flood of fast-flux changes. Again, the countries that suffer incidents of national disconnection are usually those already laboring under the heaviest burdens: Pakistan, Sri Lanka, and Zimbabwe, for example. These are significant degredations of the quality of service offered by the domain name system, and they disproportionately and unfairly burden those who already find themselves on the wrong side of the digital divide. Fast flux is an abuse of the domain name system, and privileges the interests of criminals over the global public welfare. -Bill Woodcock Research Director Packet Clearing House Attachment:
PGP.sig |