ICANN ICANN Email List Archives

[irt-draft-report]


<<< Chronological Index >>>    <<< Thread Index >>>

Comments on the scope of the proposed mechanism

  • To: irtp-draft-report@xxxxxxxxx
  • Subject: Comments on the scope of the proposed mechanism
  • From: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 07 May 2009 00:26:15 +0200

Howdy,

A standard reliable mechanism necessary for the implementation of policy common to two or more instances of delegated registries, independent of whether the instances share a common point of direct delegation from the unique DNS root, or from direct and secondary, or secondary only, delegations, and also independent of whether the instances share a common policy framework, or from two or more policy frameworks, is prudent.

Such a mechanism was formed recently in response to information that a distributed system, the C variant of the Conficker worm, attempted to use significant numbers of domains in a significant number of name spaces operated by a significant number independent registry operators, both directly and secondarily delegated from the unique DNS root. State information necessary to coordinate multi-registry action, meta data necessary to monitor resolution activity by the worm, and worm resolution data were all mandatory to implement to prevent an anticipated highly adverse outcome, and to measure the actual state of the worm. The response was sufficient, but only just.

Clearly, the depth and breadth of the .C variant attempt to exploit the DNS to synchronize a distributed system for plainly criminal purposes was novel, and there will be follow-on efforts by its authors and other authors of criminal economic enterprises exploiting the DNS to synchronize distributed systems.

There are other use cases for inter-registry state, metadata, and data communications, in addition to forming the state necessary to conduct a distributed denial of service to a distributed system exploiting two or more registries for rendezvous points, e.g., consistent variant tables for non-ASCII scripts, and, as we pointed out at the First Mile Workshop [1] at the Paris meeting six months ago, cooperative, coherent, and locally correct approaches to the "rights of others" ordering and evaluation problems.

The IRT contains an instance of a such a mechanism, and reasonably enough considering the interests of its authors, significant details to implement a set of specific policy goals critical to its authors dependent upon such a mechanism. Local correctness appears to have been sacrificed. This is unfortunate.

The concern I wish to share with the authors is that the communication between the policy pre-disposed persons and the platform or implementation pre-disposed persons could improve the respective work products of each, and in particular, the IRT's work product. This view was expressed informally at Mexico City with Paul McGrady and Fabricio Vayra and subsequently with Paul and Fabricio as well as Steve Metalitz and J. Scott Evans. It is repeated here.

Specification of a general purpose mechanism for internet registry to internet registry communication of state, meta-data, and data will be benefited by the detail of the IRT work product.

A unique authoritative source of policy data operated by a party not familiar with the operational issues of operators of DNS registries is a peculiar choice, and presents several areas of possible concern.

A source of policy data which on the order of 200 registry operators consider non-operational presents additional areas of possible concern.

A source of policy data which the legacy registry operators consider non-operational presents additional areas of possible concern.

A mandatory-to-implement mechanism which is special-case limited, providing common access to a single policy, only for new gTLD operators, will consume resources needed to socialize, implement, and operationalize a necessary-to-implement general purpose mechanism capable of responding to true DNS security and stability events, capable of ensuring consistent correctness of IDN implementations, and delivering a scalable, adaptive, open (or plurally authoritative) rights of others platform.

I work for CORE, so the usual disclaimers apply.

Eric Bunner-Williams
CORE Internet Council of Registrars
http://corenic.org

[1] http://cai.icann.org/en/node/1867, transcript at http://cai.icann.org/files/meetings/cairo2008/workshop-first-mile-05nov08.txt

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy