Re: [gnso-ff-pdp-may08] Rasmussen/Piscitello action 4.b 4.c and 4.e

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

Hi Greg,

I think that is something for the WG to decide. For example, some people
might find value in having a clearer definition of what a registrar ought to
do when it resolves a whois accuracy notification, esp. with regard to
assuring that no orphaned records remain. Others might suggest that
characterizing some baseline of change behaviors as "normal" and suggesting
that monitoring for anomalies to these ought to be more than a best
practice, to ensure uniform implementation. I'm not advocating either
position is a "must have" (that's not for me to decide) but putting it on
the table for discussion.


On 5/6/09 9:38 AM  May 6, 2009, "Greg Aaron" <gaaron@xxxxxxxxxxxx> wrote:

> Is the first paragraph recommending a contractual requirement upon
> registrars and registries?
> 
> 
> -----Original Message-----
> From: Dave Piscitello [mailto:dave.piscitello@xxxxxxxxx]
> Sent: Wednesday, May 06, 2009 8:38 AM
> To: Fast Flux Workgroup
> Subject: [gnso-ff-pdp-may08] Rasmussen/Piscitello action 4.b 4.c and 4.e
> 
> 
> Again, on behalf of Rod and myself. We believe that the proposed answer
> addresses three comments.
> 
> (4.b) Monitoring DNS activity and reporting suspicious behavior to
> law enforcement or other appropriate reporting mechanism
> (4.c) Adopting measures that make fast flux either harder to
> perform or unattractive
> (4.e) Adopting accelerated domain suspension processing in
> collaboration with certified investigators / responders
> 
> 
> Proposed answer: ICANN has contractual relationships with registrars and
> gTLD registries. While monitoring and reporting DNS activities through these
> parties might provide some detection and deterrent to fast flux hosting,
> other parties outside ICANN's policy and contractual reach - subdomain
> registries, hosting providers, ISPs public DNS operators - would not be
> obliged to monitor and report suspicious activities. There may be value in
> recommending that registrars monitor certain DNS configuration behavior for
> domains they sponsor. This could be part of an overall set of protective
> measures registrars offer to registrants to reduce the risk of hijacking and
> DNS abuse.
> 
> The WG observes that reporting "suspicious activity" to law enforcement can
> be problematic in several respects. In certain jurisdictions, for example,
> Law Enforcement cannot accept certain information without the consent of the
> victim. Volume is also a problem, as law enforcement case loads are, on
> average, extremely high. Adding to this load without a clear definition of
> what constitutes "suspicious activity" and without a clear definition of the
> information that can be practically used by LEAs could prove more burdensome
> than useful.
> 
> 
> 
> 
>