ICANNWatch
 
  Inside ICANNWatch  
Submit Story
Home
Lost Password
Preferences
Site Messages
Top 10 Lists
Latest Comments
Search by topic

Our Mission
ICANN for Beginners
About Us
How To Use This Site
ICANNWatch FAQ
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

  •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

  • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)


     
    IP Numbers How to Protect the DNS
    posted by michael on Friday October 25 2002, @11:38AM

    Our earlier item on the recent DDOS attacks mentioned Karl Auerbach's simple suggestions for a DNS-in-box emergency replacement on a CD. The full text of those suggestions, dated Oct. 2001 (!) is below. See also Protecting the Internet's Domain Name System online at cavebear.com. No sign that ICANN has taken any interest, though. Thus, while I agree with those who say that it's not ICANN's job to try to guarantee (or legislate) Internet security, I also think that the people who say that ICANN could have done something useful in this connection have a point. True "technical coordination" (remember the good ol' days, when that was what ICANN said it was for?) would include providing a forum in which interested parties could work out a standard distribution and invite people -- completely voluntarily -- to implement it. [Updated]



    I wouldn't go nearly as far as Bob Alberti, but I wish that ICANN could lead (not command - lead) in this area. If we're lucky, that is what the Security and Stability committee will do...

    As for the Auerbach paper, I think it's a great starting point. I think it lightly underestimates the difficulties in distributing backups of the name servers' files which contain privacy-sensitive (and spam-vulnerable) information, information that registries don't want to spread around on CD. They'd need to be encrypted in some way, and we'd need some non-internet way to share the key in case of emergency. But this should be a solvable problem.

    Update: The DNS-in-a-box idea:

    Date: Thu, 25 Oct 2001 11:50:45 -0700 (PDT)
    From: Karl Auerbach {karl@CaveBear.com}
    To: XXX
    Subject: An idea: An Internet Self-Protection kit

    I've had this idea:

    A CDROM that contains all the pieces that one needs to build an emergency DNS service for one's home, company, school, or whatever..

    It would contain the configuration files for bind plus zone files for a root and selected contents of the big TLDs, plus some sort of wildcard for in-addr.arpa.

    This could be updated monthly.

    When something bad strikes, the owner of the kit could drag it off the shelf, follow the instructions, and get his/her own root+TLD server up and running to provide DNS coverage.

    The hard parts of doing this are:

    - Latching it to a platform. Linux/Unix and Win2k might be a pair of platform choices.

    - Selecting the subsets of the TLDs, i.e. including cavebear.com but excluding superspammer.com.

    - Handling in-addr.arpa queries. (I'm thinking that all could be handled by simply giving the same response.)

    - Keeping it up-to-date.

    --karl--


     
      ICANNWatch Login  
    Nickname:

    Password:

    [ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

     
      Related Links  
  • Bob Alberti
  • Security and Stability
  • Protecting the Internet's Domain Name System
  • it's not ICANN's job to try to guarantee (or legislate) Internet security
  •  
    This discussion has been archived. No new comments can be posted.
    How to Protect the DNS | Log in/Create an Account | Top | 7 comments | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Threshold:
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    Re: How to Protect the DNS
    by michael (froomkin@lawUNSPAM.tm) on Friday October 25 2002, @01:52PM (#9842)
    User #4 Info | http://www.discourse.net/
    I agree there's nothing sensitive in the zone file. But the name servers (registries) got hammered last week too. Isn't there some vulnverability worth worrying about there too?
    [ Reply to This | Parent ]
    correct link
    by michael (froomkin@lawUNSPAM.tm) on Friday January 17 2003, @03:25PM (#10987)
    User #4 Info | http://www.discourse.net/
    The message above has a break in the url. I think it means to refer to this link [slashdot.org]?
    [ Reply to This | Parent ]
  • 3 replies beneath your current threshold.

  • Search ICANNWatch.org:


    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com