Re: [dnsext] Ghost domain names

Florian Weimer <fw@deneb.enyo.de> Mon, 13 February 2012 22:04 UTC

From: Florian Weimer <fw@deneb.enyo.de>
To: Edward Lewis <Ed.Lewis@neustar.biz>
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com> <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu> <4F357920.2000008@ogud.com> <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com> <4F3945EE.6070008@ogud.com> <a06240804cb5f0772c009@[192.168.128.21]>
Date: Mon, 13 Feb 2012 23:04:22 +0100
In-Reply-To: <a06240804cb5f0772c009@[192.168.128.21]> (Edward Lewis's message of "Mon\, 13 Feb 2012 13\:58\:50 -0500")
Message-ID: <87bop28k61.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Ghost domain names
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

* Edward Lewis:

> I looked briefly at the paper
> (http://www.isc.org/files/imce/ghostdomain_camera.pdf) and don't see
> this as a "vulnerability" but rather a result of a lack of revocation
> in the protocol.  (The paper says as much.)  Adding revocation isn't
> going to be easy.

I think before we could do that, we'd need to know how quickly the
revocation needs to take effect.  If the time period is rather short,
this rules out many potential approaches.

I'm also not sure if this is an actual problem.  For a couple of
years, we had unremovable names in COM & NET due to the way those
zones were provisioned, and while this was abused, very likely not
even intentionally, the world didn't end.  (Verisign fixed this prior
to the introduction of DNSSEC.)
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

[dnsext] perhaps we should reintroduce "resimprov… paul vixie
Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
Re: [dnsext] perhaps we should reintroduce "resim… Frederico A C Neves
Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
Re: [dnsext] perhaps we should reintroduce "resim… Warren Kumari
Re: [dnsext] perhaps we should reintroduce "resim… Stephane Bortzmeyer
Re: [dnsext] perhaps we should reintroduce "resim… paul vixie
Re: [dnsext] perhaps we should reintroduce "resim… W.C.A. Wijngaards
Re: [dnsext] perhaps we should reintroduce "resim… Florian Weimer
Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
Re: [dnsext] perhaps we should reintroduce "resim… Nicholas Weaver
Re: [dnsext] perhaps we should reintroduce "resim… Paul Hoffman
Re: [dnsext] perhaps we should reintroduce "resim… Evan Hunt
Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
[dnsext] Ghost domain names Edward Lewis
Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
Re: [dnsext] Ghost domain names Florian Weimer
Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
Re: [dnsext] perhaps we should reintroduce "resim… Edward Lewis
Re: [dnsext] perhaps we should reintroduce "resim… Paul Vixie
Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
Re: [dnsext] perhaps we should reintroduce "resim… Mark Andrews
Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy