Re: [DNSOP] Mitigation of name collisions

David Conrad <> Tue, 04 October 2016 00:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 97DD7129550 for <>; Mon, 3 Oct 2016 17:33:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HHViF_rGOBZy for <>; Mon, 3 Oct 2016 17:33:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D204A1293E0 for <>; Mon, 3 Oct 2016 17:33:52 -0700 (PDT)
Received: by with SMTP id qn7so66097222pac.3 for <>; Mon, 03 Oct 2016 17:33:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version; bh=LRLx3vVkQumAfIB1Kw9EznD44lBPD8siwKJBviur5Wg=; b=tNeuGOZblXLPGgJtwaIyLB+e6IgE7I7oZ2NO+9EvWIxIxttHa6ltj5nBGbcJKms+Jh /S/iVYvAGPAgwICzByZvRvQkytulkbOdju3LvDuREIq+/uy59mbV3H6/+TUqLp740M5D 4umKINC0SX/XGpknI0EfUtdz1kJT2OkMozLkJ9pZDhKpiAfLVXseJV15wHeax8gOZ7mF Z167CHcaAk4g11f1GbagVY9duuPDjGXkpiJLKJx7X3F4Zubk9VGl5KyI8h70bDV3ivmJ d4/xwIihEo/tVJTf3rf1AyzDajrCepkWTy14BoyzCQ9ZBw5ndVySWwSzI2sJd3/jCBn+ FDGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version; bh=LRLx3vVkQumAfIB1Kw9EznD44lBPD8siwKJBviur5Wg=; b=flwRDuYE/pASVKIkvoq/f3mFolMCV4fX/K4QzgzVob47wPL0Dxr3oLW2ZkJVfr9tPx GUGj39wB5Gcs17Yu5psCcQ/cKMrQC9eQE23hfoF8k1l4L1TgWB6j/1h+aqyNyQZIsVFr G/Vz39f4YWcsOLWqGXz2qgEnrww0agUHxICEDPwJq9/U7I8sYqXiDZQDRvUb0y9KudHa gc/vVvc+3LJMBLFxG9eWIHMUqq7uoetlGGRvWplBvPGX+7z0vZr4fc8yuUAP5v6y3ClU +P0OEFUzj5Tx2Bw5vjPJ7331KCH3OxlIpWzxC25+zDpq9hSruy/YmEiFsLZgsgffLFjP mWfg==
X-Gm-Message-State: AA6/9RluGxmbUdHNGBDFI8oqnCIz9tIeT5mw3PSjO7ONUFN6Hwfe4gkVLSYUzq5rYv/ckQ==
X-Received: by with SMTP id rb5mr1197261pac.45.1475541232258; Mon, 03 Oct 2016 17:33:52 -0700 (PDT)
Received: from DACO-4417.local.mail ([2605:e000:110f:337:fcb7:b29:da88:c5d7]) by with ESMTPSA id d190sm49779014pfd.59.2016. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Oct 2016 17:33:51 -0700 (PDT)
Date: Mon, 03 Oct 2016 14:33:48 -1000
From: David Conrad <>
To: Warren Kumari <>
Message-ID: <>
In-Reply-To: <>
References: <> <>
X-Mailer: Airmail (382)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="85C78071-7624-4B29-BAE9-ECC1B368BC61"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Archived-At: <>
Cc: dnsop <>
Subject: Re: [DNSOP] Mitigation of name collisions
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Oct 2016 00:33:54 -0000


On October 3, 2016 at 12:33:12 PM, Warren Kumari ( wrote:
... and just for the record, much much more could have been determined 
(and users better warned / informed) if the address handed out was a 
server which displayed an error / links to more information[0],
I'm not particularly interested in beating the smudge on the ground that was the honey pot dead horse yet again. Here's an idea: if you can get Google lawyers to accept the full legal liability and privacy implications for running such a honey pot (regardless of how it is implemented and for what protocols), let me know and I'll argue that we should do an RFP to outsource the operation of such a honey pot in the next round. Until then, perhaps we can let the dead horse rest in peace?

 or if 
the name-servers serving the wildcard were required to collect and 
publish information and statistics. This would have allowed analysis 
of the effectiveness of the mitigations, etc. 

This, however, is more interesting and should another round occur, I think it'd make sense to do this in a staged fashion, first to ICANN name servers, then to the registry's name servers.

Of course, IIRC, people were arguing that you shouldn't ask questions when you aren't sure what you'll do with the answers...