Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Rich Kulawiec <rsk@gsp.org> Mon, 23 January 2017 18:20 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3FB9129706 for <dnsop@ietfa.amsl.com>; Mon, 23 Jan 2017 10:20:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.302
X-Spam-Level:
X-Spam-Status: No, score=-2.302 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qx8_Df6FlG_f for <dnsop@ietfa.amsl.com>; Mon, 23 Jan 2017 10:20:55 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB741296FD for <dnsop@ietf.org>; Mon, 23 Jan 2017 10:20:55 -0800 (PST)
Received: from gsp.org (localhost [127.0.0.1]) by taos.firemountain.net (8.15.1/8.14.9) with SMTP id v0NIKroF008196 for <dnsop@ietf.org>; Mon, 23 Jan 2017 13:20:54 -0500 (EST)
Date: Mon, 23 Jan 2017 13:20:52 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: dnsop@ietf.org
Message-ID: <20170123182052.GA12543@gsp.org>
References: <CADyWQ+ETSd199ok0fgh=PB=--hW7buPgSoCg22aK51Bk4xxBmw@mail.gmail.com> <CAHw9_iJGXvep1EvnrMqb-XsWre4c3msVs+Bw8gE-_oU3eqOXag@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHw9_iJGXvep1EvnrMqb-XsWre4c3msVs+Bw8gE-_oU3eqOXag@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HCQQrW3Uqvz9fkcGVmwxlO53DfE>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2017 18:20:58 -0000

I've been following this discussion and have taken a few weeks to think
about the comments rendered here in some depth.  I find that I most agree
with this statement:

On Tue, Dec 20, 2016 at 10:53:39PM +0000, Warren Kumari wrote:
> I believe that RPZ (and the DNS lies which it creates) is evil --
> unfortunately we live in a world where this is a necessary evil.

I started studying the use of domains by spammers 15 years ago.
I expanded that study to phishers, typosquatters, domaineers, malware
distributors, etc. as it became excruciatingly clear that these are
quite often the same people or operations.  (See "Sanford Wallace"
for one of the canonical examples.)

It's become clear to me that most Internet domains are malicious.
In the new TLDs, "most" asymptotically approaches "all".

( If anyone doubts this, and you shouldn't unless you've done your own
homework, I'll be happy to show you some sample data.  Or you can spend
your morning coffee time for the next week idly perusing new additions to
zone files at https://domainpunch.com/tlds/daily.php and get the flavor
of it for yourself.  Popular this month: domains being used by boiler
room fake technical support operations who make phone calls designed to
convince users to handle over control of their systems.  They're being
registered much faster than I can track them. [1] )

This shouldn't surprise anyone who has even dabbled in the area.  Abusers
register domains by the tens or hundreds of thousands, burn through
them, then register more.  Registrars are happy to have high-volume
repeat customers, so while they may make a pretense of responsibility
by suspending a domain here or there, these are meaningless gestures
designed to placate complainers and support maintenance of a facade of
responsibility.  And in the extremely rare cases where registrars fire
a client, there are plenty of others ready to welcome them with open arms.

The situation is so bad that I think it's a best practice in mail system
operations to block quite a few of the new TLDs outright in MTAs and
make exceptions for specific domains if/when the need arises.

But even if that's done, it's an insufficient defense mechanism.   We need
a way to make huge numbers of domains effectively disappear from users'
view of the Internet -- and this may be it.

I don't like it.  This is not the Internet I would have chosen.

But I'm not the entity who has allowed registrars to profit handsomely off
the Internet's collective misery for a couple of decades, or the entity
who handed them a whole new way to do so by unleashing hundreds of TLDs for
which there is precisely zero need and precisely zero legitimate purpose,
or the entity which let them start obfuscating registration data -- one
of the best things that's ever happened to operators of malicious domains.

---rsk

[1] Here's a single data point, out of a huge number:

	http://www.firemountain.net/~rsk/online.txt

Those are *some* of the domains registered by one registrant in one TLD
in one day.  It's thus a speck on a microscopic speck, but I assure you
it's representative.