Discussion:
ns1,2,3,5.dns.net.nz hot being helpful
(too old to reply)
Tim Nicholas
2004-09-28 10:40:24 UTC
Permalink
Hi all,

Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful
information?

That's 4 of 7 primary servers for all of .nz and seems to be affecting
all of the second level domains.



22:35:04 ***@stella ~$ for i in 1 2 3 4 5 6 7; do host -t ns dnc.net.nz
ns$i.dns.net.nz;echo; done
dnc.net.nz NS record currently not present at ns1.dns.net.nz

dnc.net.nz NS record currently not present at ns2.dns.net.nz

dnc.net.nz NS record currently not present at ns3.dns.net.nz

dnc.net.nz NS ns2.actrix.co.nz
dnc.net.nz NS internetnz.net.nz
dnc.net.nz NS ns1.actrix.co.nz

dnc.net.nz NS record currently not present at ns5.dns.net.nz

dnc.net.nz NS ns2.actrix.co.nz
dnc.net.nz NS ns1.actrix.co.nz
dnc.net.nz NS internetnz.net.nz

dnc.net.nz NS internetnz.net.nz
dnc.net.nz NS ns1.actrix.co.nz
dnc.net.nz NS ns2.actrix.co.nz

22:37:40 ***@stella ~$


Cheers,
Tim
--
Tim Nicholas || Cilix
Email: ***@nicholas.net.nz || Wellington, New Zealand
http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204
Joe Abley
2004-09-28 15:46:38 UTC
Permalink
Post by Tim Nicholas
Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out
useful information?
I have no answer, but I can see similar problems. Even though all
nameservers are reporting the same SOA serial, the answers are
different for the question "dnc.net.nz IN NS":

[***@ganesh]% for n in 1 2 3 4 5 6 7; do
for> echo -n "ns${n}: "
for> dig @ns${n}.dns.net.nz net.nz SOA +short
for> dig @ns${n}.dns.net.nz dnc.net.nz NS +norec +short
for> done
ns1: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns2: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns3: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns4: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns2.actrix.co.nz.
internetnz.net.nz.
ns1.actrix.co.nz.
ns5: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns6: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns7: loopback.dns.net.nz. soa.nzrs.net.nz. 2004092888 900 300 604800
3600
ns2.actrix.co.nz.
internetnz.net.nz.
ns1.actrix.co.nz.
[***@ganesh]%

I only get answers from ns4 and ns7. You got an answer from n6, but
that's quite possibly a different ns6 from the one I was using (ns5 and
ns6 are anycast by UltraDNS).

I'd AXFR the zones from each server and diff them, but of course I
can't. Shame that. (If the poor thinking that drove that policy was
removed, we might actually be able to deploy DNSSEC in New Zealand,
too).


Joe
Don Stokes
2004-09-28 21:52:42 UTC
Permalink
Post by Tim Nicholas
Hi all,
Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful
information?
That's because they don't have "useful information". They have
delegations to name servers that do.

Let's look at a NS4's actual response to your query:


$ dig dnc.net.nz. NS @ns4.dns.net.nz

; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns4.dns.net.nz
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20937
;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;; dnc.net.nz, type = NS, class = IN

;; ANSWER SECTION:
dnc.net.nz. 1D IN NS ns2.actrix.co.nz.
dnc.net.nz. 1D IN NS internetnz.net.nz.
dnc.net.nz. 1D IN NS ns1.actrix.co.nz.

;; ADDITIONAL SECTION:
ns2.actrix.co.nz. 1D IN A 203.96.16.36
ns1.actrix.co.nz. 1D IN A 203.96.16.35


The NS records are placed in the answer section of the response, and
'host" considers these answers, although note that the 'aa' flag
(authoritative answer) is not set. That's because delegation
information is not considered authoritative; if you want an
authoritative answer for the NS records of dns.net.nz, you should ask
(according to this answer) one of ns2.actrix.co.nz, internetnz.net.nz or
ns1.actrix.co.nz.

This answer is "wrong". This answer should still be delegating
responsibility for records in the dnc.net.nz domain to the name servers
mentioned in the NS list; the NS records held by ns4.dns.net.nz are
really just to help you find something that has the answer, and thus
they should really be returned in the authority section, not the answer
section, as happens when you look up something else in the delegated
zone such as an address query:


$ dig dnc.net.nz. A @ns4.dns.net.nz

; <<>> DiG 8.3 <<>> dnc.net.nz. A @ns4.dns.net.nz
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4940
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; QUERY SECTION:
;; dnc.net.nz, type = A, class = IN

;; AUTHORITY SECTION:
dnc.net.nz. 1D IN NS ns1.actrix.co.nz.
dnc.net.nz. 1D IN NS ns2.actrix.co.nz.
dnc.net.nz. 1D IN NS internetnz.net.nz.

;; ADDITIONAL SECTION:
ns1.actrix.co.nz. 1D IN A 203.96.16.35
ns2.actrix.co.nz. 1D IN A 203.96.16.36


NS4 and NS7 run BIND 8, whose logic basically goes, "do I have anything,
anywhere that matches the query? If yes, put the records in the answer
section, otherwise, put any available authority data in the authority
section."

This is different from BIND 9's (more correct) logic, which goes, "is
this domain delegated? If so, just put authority data in the authority
section, and never return data in the answer section." Thus you get the
same format answers for an NS query as for an A query; the NS records
are in the authority section, not the answer section. For example:


$ dig dnc.net.nz. NS @ns1.dns.net.nz

; <<>> DiG 8.3 <<>> dnc.net.nz. NS @ns1.dns.net.nz
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3432
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; QUERY SECTION:
;; dnc.net.nz, type = NS, class = IN

;; AUTHORITY SECTION:
dnc.net.nz. 1D IN NS ns1.actrix.co.nz.
dnc.net.nz. 1D IN NS ns2.actrix.co.nz.
dnc.net.nz. 1D IN NS internetnz.net.nz.


NS1, NS2 & NS3 all run BIND 9. NS5 & NS6 are operated by UltraDNS,
which uses their own software but has the same behaviour regarding
delegated responses.

Also, note that in the BIND 9 (and UltraDNS) responses, there are no
additional "glue" address records, because none of the delegated name
servers are within the "dnc.net.nz" domain, and therefore don't actually
need glue. (There's a bunch of reasons why putting in glue where it's
not needed is not a good idea, mostly relating to stale glue data. BIND
8 is rather generous with additional glue.)

Basically, the BIND 8 servers give "answers" to NS records queries when
they don't actually have "answers" to give. All the rest give
delegation responses, just as when faced with a non-NS record (which is
the usual case). It's all working fine. You'll see the same behaviour
in other name servers.

Hope this helps.

-- don
Post by Tim Nicholas
That's 4 of 7 primary servers for all of .nz and seems to be affecting
all of the second level domains.
ns$i.dns.net.nz;echo; done
dnc.net.nz NS record currently not present at ns1.dns.net.nz
dnc.net.nz NS record currently not present at ns2.dns.net.nz
dnc.net.nz NS record currently not present at ns3.dns.net.nz
dnc.net.nz NS ns2.actrix.co.nz
dnc.net.nz NS internetnz.net.nz
dnc.net.nz NS ns1.actrix.co.nz
dnc.net.nz NS record currently not present at ns5.dns.net.nz
dnc.net.nz NS ns2.actrix.co.nz
dnc.net.nz NS ns1.actrix.co.nz
dnc.net.nz NS internetnz.net.nz
dnc.net.nz NS internetnz.net.nz
dnc.net.nz NS ns1.actrix.co.nz
dnc.net.nz NS ns2.actrix.co.nz
Cheers,
Tim
Joe Abley
2004-09-28 22:25:12 UTC
Permalink
Post by Don Stokes
Post by Tim Nicholas
Anyone know why ns1 ns2 ns3 and ns5.dns.net.nz aren't giving out useful
information?
That's because they don't have "useful information". They have
delegations to name servers that do.
[...]
Basically, the BIND 8 servers give "answers" to NS records queries when
they don't actually have "answers" to give. All the rest give
delegation responses, just as when faced with a non-NS record (which is
the usual case). It's all working fine. You'll see the same behaviour
in other name servers.
Oh, would you look at that.

I should probably stick to configuring routers.


Joe
Andy Linton
2004-09-28 22:26:59 UTC
Permalink
Thanks to Don for the explanation of what's going on here.

Given the comment that Bind 9 and UltraDNS display "more correct" logic in the
way they provide the answers, are there plans to upgrade the Bind 8 servers to
one of these packages?
David Farrar
2004-09-28 22:27:41 UTC
Permalink
Umm if the reply won't be off-topic, why do you think restricting access to
the entire .nz zone file is a bad thing, and did you put in a submission on
the recent policy review?

There has been numerous examples of scammers using zone data combined with
whois lookups to do mass spams and scams. Doing our bit to make this harder
to do seems a good thing IMO.

Yes DNSSEC is a good thing also. If I have to choose (and in fact have had
to do just that) between DNSSEC and open slather on the zone file, then
minimising the ability of scammers takes first priority. The last big scam
using zone and whois data saw over NZ$500,000 sent to Australia. All the
European ccTLDs (.uk and .de amongst others) are adamant that they also will
not implement DNSSEC (as much as they would like to) uness there is a change
in the protocol which won't allow people to access their zone files.

I'm open for persuasion that the problems fixed by DNSSEC are a bigger
threat than the scams made possible by zone access, but yet to see a
convincing argument.

And yes I know the zone itself doesn't give our registrants data, but it
does give scammers a list of all valid entries, which makes it much much
easier to get all the details through whois.

DPF
-----Original Message-----
Sent: Wednesday, 29 September 2004 3:47 a.m.
To: Tim Nicholas
Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
I'd AXFR the zones from each server and diff them, but of
course I can't. Shame that. (If the poor thinking that drove
that policy was removed, we might actually be able to deploy
DNSSEC in New Zealand, too).
Joe
_______________________________________________
NZNOG mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
Joe Abley
2004-09-28 22:43:06 UTC
Permalink
Post by David Farrar
Umm if the reply won't be off-topic, why do you think restricting access to
the entire .nz zone file is a bad thing,
Because being able to do a zone transfer is useful to debug things, and
because a policy which prevents enumeration of the records in a zone
will block deployment of a signed zone containing NSEC records.

That's the end of the operational part of the reply, if you could call
it that.
Post by David Farrar
and did you put in a submission on the recent policy review?
Nope. I discovered long ago that the world is a much more pleasant
place if I resist all temptation to involve myself in "policy" or
"governance" issues, irony implied by punctuation intended. Besides,
there are plenty of hard concrete walls here I can bang my head
against, if I really feel the need; I don't need to go looking for
others.
Post by David Farrar
There has been numerous examples of scammers using zone data combined with
whois lookups to do mass spams and scams. Doing our bit to make this harder
to do seems a good thing IMO.
There have also been uncountable examples of scammers using all kinds
of non-zone data combined with whois lookups to do those things. I have
not seen any convincing argument that allowing the zone to be retrieved
(by NSEC chain walking, AXFR, FTP, HTTP, or any other method) will make
any difference to this. If they can get your address, they can get your
address -- who cares how they get it?
Post by David Farrar
I'm open for persuasion that the problems fixed by DNSSEC are a bigger
threat than the scams made possible by zone access, but yet to see a
convincing argument.
I have yet to see a convincing argument that the threat of increased
scamming due to open access to the zone imposes any additional threat
at all.

It seems odd to take the position that known threats against the DNS
that we can defend against (with DNSSEC) take a back seat to nebulous
threats which have not been demonstrated to exist.


Joe
Drew Whittle
2004-09-28 23:22:25 UTC
Permalink
Post by David Farrar
Umm if the reply won't be off-topic, why do you think restricting access to
the entire .nz zone file is a bad thing,
Blocking the zone doesn't fix the problem, the problem is with whois not
the .nz zone.

My contact information is not in the zone, but it is in the whois info.

Your doing a poor band aid fix, it's not worthy as a New Zealand No.8
wired fix, your "fixing" the wrong thing.

The real problem is whois, not the zone data.

Personally I couldn't care if people can't get my contact details out of
whois, (Hmm do 90% of the population even know whois exists?) but I'm
fairly sure some people would strongly oppose changing the returned info
from whois so that domain scammers couldn't use it.

Yeah I know put a submission in to the great and holy INZ for
consideration, don't see the point in that - the powers that be might
read it, but they will do what the want, not what is right.

If an alcoholic keeps falling down when drunk, you don't tie him to a
chair to stop him falling down....

:D
David Farrar
2004-09-29 00:42:30 UTC
Permalink
-----Original Message-----
Sent: Wednesday, 29 September 2004 10:43 a.m.
To: David Farrar
Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
Post by David Farrar
Umm if the reply won't be off-topic, why do you think restricting
access to the entire .nz zone file is a bad thing,
Because being able to do a zone transfer is useful to debug
things, and because a policy which prevents enumeration of
the records in a zone will block deployment of a signed zone
containing NSEC records.
One can apply for zone file access, it just isn't something one gets
automatically.
I have yet to see a convincing argument that the threat of
increased scamming due to open access to the zone imposes any
additional threat at all.
It seems odd to take the position that known threats against
the DNS that we can defend against (with DNSSEC) take a back
seat to nebulous threats which have not been demonstrated to exist.
Actually it is the other way around.

Scammers have told us that they use zone files for their scams. This is not
hypothethical - this has happened with the .nz zone before it was
restricted. And those scammers actually went and defrauded .nz registrants
out of hundreds of thousands of dollars by using the zone file to get the
whois data (and yes there is significant rate limiting technology used on
the whois, but there are also scammers who use thousands of zombie machines
to not trigger the restrictions, even if it takes them a couple of months).
The scammers have actually said that the zone file data is very useful to
them, because otherwise they need to do dictionary attacks on the whois, and
they are much much easier to guard against.

I discussed the issue whether DNSSEC benefits outweighed the negatives of
open zone files with the CEO of .uk. He made the very valid (IMO) point
that the volume of complaints they have had about open zone files and whois
leading to domain name scams is some thousand times greater than the number
of complaints they have had (as in actual damage, not just a possibility)
about something which DNSSEC would have fixed.

My hope is that the specs for DNSSEC will either be modified to prevent zone
files being accessible, or that an acceptable patch will be developed, so
DNSSEC can be used on .nz.

But if that doesn't happen, well the way I see it that protecting .nz
registrants from spam and scams which have already costed .nz registrants
hundreds of thousands of dollars (and which did use a zone file), is in the
best interests of the Internet community.

Anyway thanks for elaborating on your reasons.


DPF
Juha Saarinen
2004-09-29 00:48:27 UTC
Permalink
Post by David Farrar
Scammers have told us that they use zone files for their scams. This is not
hypothethical - this has happened with the .nz zone before it was
restricted. And those scammers actually went and defrauded .nz registrants
out of hundreds of thousands of dollars by using the zone file to get the
whois data (and yes there is significant rate limiting technology used on
the whois, but there are also scammers who use thousands of zombie machines
to not trigger the restrictions, even if it takes them a couple of months).
The scammers have actually said that the zone file data is very useful to
them, because otherwise they need to do dictionary attacks on the whois, and
they are much much easier to guard against.
Hang on, I'm confused now. Aren't you mixing up DNS zones and whois
information there?

You're talking about Chesley Rafferty targetting .nz domain name
registrants by harvesting whois data, presumably?
--
Juha
Juha Saarinen
2004-09-29 00:52:17 UTC
Permalink
Post by David Farrar
Scammers have told us that they use zone files for their scams. This is not
hypothethical - this has happened with the .nz zone before it was
restricted. And those scammers actually went and defrauded .nz registrants
out of hundreds of thousands of dollars by using the zone file to get the
whois data (and yes there is significant rate limiting technology used on
the whois, but there are also scammers who use thousands of zombie machines
to not trigger the restrictions, even if it takes them a couple of months).
The scammers have actually said that the zone file data is very useful to
them, because otherwise they need to do dictionary attacks on the whois, and
they are much much easier to guard against.
You mean the scammers compiled a list of .nz domains from zone
transfers, and then used them for whois queries?
--
Juha
Joe Abley
2004-09-29 00:57:25 UTC
Permalink
Post by David Farrar
Post by Joe Abley
I have yet to see a convincing argument that the threat of
increased scamming due to open access to the zone imposes any
additional threat at all.
It seems odd to take the position that known threats against
the DNS that we can defend against (with DNSSEC) take a back
seat to nebulous threats which have not been demonstrated to exist.
Actually it is the other way around.
Scammers have told us that they use zone files for their scams.
How many scammers have told you that if it wasn't for zone files being
available, they would have no other way to launch their scams?
Post by David Farrar
[hysteria trimmed]
I discussed the issue whether DNSSEC benefits outweighed the negatives of
open zone files with the CEO of .uk. He made the very valid (IMO) point
that the volume of complaints they have had about open zone files and whois
leading to domain name scams is some thousand times greater than the number
of complaints they have had (as in actual damage, not just a
possibility)
about something which DNSSEC would have fixed.
This sounds like a suprious argument to me. How many complaints would
you expect to receive from people who believe everything they read on
the Internet? If someone decides to impersonate a stores web page and
does a good job at it, how many users would ever suspect that was how
their credit card details got stolen?
Post by David Farrar
My hope is that the specs for DNSSEC will either be modified to prevent zone
files being accessible, or that an acceptable patch will be developed, so
DNSSEC can be used on .nz.
I don't see any signs that that will happen. I think what is more
likely is that DNSSEC will continue to be deployed in other zones, and
zones under NZ will remain insecure.
Post by David Farrar
Anyway thanks for elaborating on your reasons.
Any time.


Joe
jfp
2004-09-29 01:02:12 UTC
Permalink
Post by Juha Saarinen
Hang on, I'm confused now. Aren't you mixing up DNS zones and whois
information there?
You're talking about Chesley Rafferty targeting .nz domain name
registrants by harvesting whois data, presumably?
I'm assuming we're talking about the root nz zone here.

If you can do a zone transfer on the .nz domain, then you get a list of
all the domains currently setup (basically a list of all nz domains)
You can then walk through that and do a whois for each domain.
Spam heaven...


jfp.

------------------------------------------------------------------------
Jean-Francois Pirus <***@clearfield.com> Senior Software Engineer
Phone (+64-9) 358 2081 Clearfield Software Ltd
Fax (+64-9) 358 2083 4th Floor 8-10 Whitaker Place
Mob (+64-21) 640 779 P O Box 2348 Auckland, New Zealand
------------------------------------------------------------------------
b***@vacation.karoshi.com
2004-09-29 00:58:27 UTC
Permalink
Post by jfp
Post by Juha Saarinen
Hang on, I'm confused now. Aren't you mixing up DNS zones and whois
information there?
You're talking about Chesley Rafferty targeting .nz domain name
registrants by harvesting whois data, presumably?
I'm assuming we're talking about the root nz zone here.
If you can do a zone transfer on the .nz domain, then you get a list of
all the domains currently setup (basically a list of all nz domains)
You can then walk through that and do a whois for each domain.
Spam heaven...
jfp.
so... which is operationally more important,
DNS
or
whois?

which would you rather see turned off?

--bill
Juha Saarinen
2004-09-29 01:04:48 UTC
Permalink
Post by b***@vacation.karoshi.com
so... which is operationally more important,
DNS
or
whois?
which would you rather see turned off?
Turning off (or just anonymising) whois wouldn't break the Intarweb, but
it would have seriously undesirable effects.
--
Juha
b***@vacation.karoshi.com
2004-09-29 01:11:03 UTC
Permalink
Post by Juha Saarinen
Post by b***@vacation.karoshi.com
so... which is operationally more important,
DNS
or
whois?
which would you rather see turned off?
Turning off (or just anonymising) whois wouldn't break the Intarweb, but
it would have seriously undesirable effects.
Interweb?

what side effects do you think accrue from the effect of
turning off or anonymising whois? (both good and bad)

what side effects do you think accure from the effect of
turning off the DNS (both good and bad) ** i posit that
it is not reasonable to consider "anonymising" the DNS.
Post by Juha Saarinen
--
Juha
Juha Saarinen
2004-09-29 01:24:37 UTC
Permalink
Post by b***@vacation.karoshi.com
Interweb?
Kiwi in-joke, sorry.
Post by b***@vacation.karoshi.com
what side effects do you think accrue from the effect of
turning off or anonymising whois? (both good and bad)
Good, it may make spammer harvesting of email address a bit harder, and
perhaps also help prevent abuse like domain squatting/hijacking. Dubious
that it would though, and it would create more hoops for legitimate
registrants to jump through as well.

Bad, it'd make the registrants anonymous. I bet if .nz were to anonymise
whois, spammers would register all their throwaway domains here. If you
don't give out any whois information at all, it'd be hard to keep
details like nameserver records accurate.
Post by b***@vacation.karoshi.com
what side effects do you think accure from the effect of
turning off the DNS (both good and bad) ** i posit that
it is not reasonable to consider "anonymising" the DNS.
Ah, no, never suggested that. I don't think either can be anonymised.
--
Juha
Nicholas Lee
2004-09-29 01:42:42 UTC
Permalink
Post by Juha Saarinen
Post by b***@vacation.karoshi.com
what side effects do you think accrue from the effect of
turning off or anonymising whois? (both good and bad)
Good, it may make spammer harvesting of email address a bit harder, and
perhaps also help prevent abuse like domain squatting/hijacking. Dubious
that it would though, and it would create more hoops for legitimate
registrants to jump through as well.
Bad, it'd make the registrants anonymous. I bet if .nz were to anonymise
whois, spammers would register all their throwaway domains here. If you
don't give out any whois information at all, it'd be hard to keep
details like nameserver records accurate.
How about restricting access to whois information via a
registration-required web interface, rate limit access dependant on
GeoIP location, and make it difficult for scripts.

Increase the cost of massive data mine, but still allow reasonable (*)
access to information.


For example the Companies Office in NZ, and I've had a few whois queries
point to web interfaces instead.


(*) I've use whois info to inform people of viruses main times.

Nicholas
Russell Fulton
2004-09-29 06:05:23 UTC
Permalink
Post by Nicholas Lee
How about restricting access to whois information via a
registration-required web interface, rate limit access dependant on
GeoIP location, and make it difficult for scripts.
I gave up sending abuse notices to owners of infected machines when
several Asian registries started withholding information from whois
servers and forcing me to use web interfaces. I see thousands of abused
machines hitting our /16 every day. With an automated system I can
notify the registered owners (assuming the data is accurate) of many of
these system in the hope that they will clean up their machines and make
the Internet a safer place for us all. But automated system relies on
being able to get(at least halfway) structed data from whois.

My take on this is that spammers and scammers will get the information
anyway, why make it a little more difficult for them when the cost of
doing so is breaking legitimate uses of the services.

There is currently a very similar debate going on on the NZ ADSL list
over the presence of email addresses in the archive and the fact that
this is easy spam bait. My response to that argument is the same,
taking the email addresses out of archives will not slow spammers down
much but it will make the archives significantly less useful and lead to
more traffic on the lists.

Restricting access to zone files is a somewhat different issue, there
are very few legitimate reasons for someone to pull a whole domain from
a name server and almost all the time the administrator of the server
know exactly who needs to do it so restricting access makes sense.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
Nicholas Lee
2004-09-29 06:48:54 UTC
Permalink
Post by Russell Fulton
There is currently a very similar debate going on on the NZ ADSL list
over the presence of email addresses in the archive and the fact that
this is easy spam bait. My response to that argument is the same,
taking the email addresses out of archives will not slow spammers down
much but it will make the archives significantly less useful and lead to
more traffic on the lists.
Actually I thought about this a little. I think it does have some
differences.

Particular being able to cross-ref the zone file against the whois data
allows a more physical and structured attack. Like setting up a seal
team.

Where as spam harvesting of email is more like a blind folded shotgun
team.


Of course if the spammers are collection profile information by tracking
you with cookies then all bets are off.


Finally with email spam its possible to filter at the carrier, ISP
and user levels. With a targeted postal scam you can only filter at the
user level.

I agree though, that the information is out there. Some scammers already
have the cross-referenced data. Its not a easy problem to solve.

One argument might state that is a stupidity tax and that its up to the
users to filter, likely mostly do with spam. Another argument is that
people have a reasonable duty to make it harder to commit the scams. For
example, we do lock our doors now after all.


Possible some sort of system can be developed where trust people can
access the the whois data in a scriptable way. Like banks. Then again
its a global problem and our local views on trusted are hard to extend
overseas to someone who we can visit in person.


I think if its possible its worth trying to increase the entry cost to
access of the information. In some cases this might increase the
transactional cost of current users, but that's life. After all people
complain about speed limits all the time.



Its worth considering a similar set of data to the whois database which
is online: the Companies office. That includes information about private
addresses, specific company information,



Nicholas
Juha Saarinen
2004-09-29 07:01:34 UTC
Permalink
Post by Nicholas Lee
I think if its possible its worth trying to increase the entry cost to
access of the information. In some cases this might increase the
transactional cost of current users, but that's life. After all people
complain about speed limits all the time.
Why not just tell the .nz whois server to hand out the number to an SMS
responder? That'd take care of the added-cost and prevent bulk
harvesting, plus keep a record of who queries the whois. Everyone has
mobiles, so it wouldn't require any investment in client-side technology.

If you want to ratchet it up a notch, you could always have the whois
server give out the phone number to a real live person at InternetNZ,
for manual querying.

I'm sure the telcos would love to run such a system.
--
Juha
Jeremy Brooking
2004-09-30 02:21:20 UTC
Permalink
Post by Juha Saarinen
Why not just tell the .nz whois server to hand out the number to an SMS
responder?
Because when I'm querying for an answer, id like to ensure I get the
responce today.
Jamie Baddeley
2004-09-29 07:48:41 UTC
Permalink
Post by Nicholas Lee
With a targeted postal scam you can only filter at the
user level.
One argument might state that is a stupidity tax and that its up to the
users to filter,
One thing I've been wondering is why we seem to be more prepared to
constrain technical capability via policy, rather than distributing know
information to ensure end user education (The Internet being a great
vehicle for). I'm kind of surprised that promotion of technical
capability is something that apparently (AFAICT) needs to fought for
every step of the way. Colour me naive.

Why are we insisting on plugging the cracks in a fundamentally leaky
dam, rather than educating the population on what to do (or not do) when
they see water?

At very minimum it is a combination of the two. So far I have only seen
evidence on this thread of one approach.

The success rate of scams is inversely proportional to the level of
awareness. What are the various bodies that are guardians of The
Internet in NZ doing on the awareness front?

jamie
Hamish MacEwan
2004-09-29 08:23:49 UTC
Permalink
On Wed, 29 Sep 2004 19:48:41 +1200, Jamie Baddeley
Post by Jamie Baddeley
One thing I've been wondering is why we seem to be more prepared to
constrain technical capability via policy, rather than distributing know
information to ensure end user education (The Internet being a great
vehicle for). I'm kind of surprised that promotion of technical
capability is something that apparently (AFAICT) needs to fought for
every step of the way. Colour me naive.
Hear, hear.

It is frequently better to wear slippers than attempt to carpet the
world, according to the Australian philosopher, Bob Down.

Hamish.
--
http://del.icio.us/Hamish.MacEwan
David Farrar
2004-09-29 01:32:50 UTC
Permalink
Yes - absolutely. In a zone like .com with 30 million entries, and most
english words, the zone file is not that useful but in a zone of 160,000 it
makes life a lot easier for scammers.

DOF
-----Original Message-----
Sent: Wednesday, 29 September 2004 12:52 p.m.
To: NZ NOG
Cc: David Farrar
Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
Post by David Farrar
Scammers have told us that they use zone files for their
scams. This
Post by David Farrar
is not hypothethical - this has happened with the .nz zone
before it
Post by David Farrar
was restricted. And those scammers actually went and
defrauded .nz
Post by David Farrar
registrants out of hundreds of thousands of dollars by
using the zone
Post by David Farrar
file to get the whois data (and yes there is significant rate
limiting technology used on the whois, but there are also scammers
who use thousands of zombie machines to not trigger the
restrictions,
Post by David Farrar
even if it takes them a couple of months).
The scammers have actually said that the zone file data is very
useful to them, because otherwise they need to do
dictionary attacks
Post by David Farrar
on the whois, and they are much much easier to guard against.
You mean the scammers compiled a list of .nz domains from
zone transfers, and then used them for whois queries?
--
Juha
David Farrar
2004-09-29 01:40:48 UTC
Permalink
-----Original Message-----
Sent: Wednesday, 29 September 2004 12:57 p.m.
To: David Farrar
Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
Post by David Farrar
Post by Joe Abley
I have yet to see a convincing argument that the threat of
increased
Post by David Farrar
Post by Joe Abley
scamming due to open access to the zone imposes any
additional threat
Post by David Farrar
Post by Joe Abley
at all.
It seems odd to take the position that known threats
against the DNS
Post by David Farrar
Post by Joe Abley
that we can defend against (with DNSSEC) take a back seat
to nebulous
Post by David Farrar
Post by Joe Abley
threats which have not been demonstrated to exist.
Actually it is the other way around.
Scammers have told us that they use zone files for their scams.
How many scammers have told you that if it wasn't for zone
files being available, they would have no other way to launch
their scams?
I think the results speak for themselves. Since the zone file was
restricted there have been far fewer scams using the .nz whois data as the
old zone files out there get more and more stale.

One can never stop scams. One can minimise them though.
Post by David Farrar
My hope is that the specs for DNSSEC will either be modified to
prevent zone files being accessible, or that an acceptable
patch will
Post by David Farrar
be developed, so DNSSEC can be used on .nz.
I don't see any signs that that will happen. I think what is
more likely is that DNSSEC will continue to be deployed in
other zones, and zones under NZ will remain insecure.
ccTLDs discussed this issue at July ICANN. Don't take this as gospel, but I
don't think a single medium or large ccTLD is going to implement DNSSEC
unmodified. In fact the Europeans have said their privacy laws would give
them grief if they do. They, like .nz, are keen to be able to implement
DNSSEC and some of them are working on the patches I referred to. By the
end of the year it may be clear what is happening.


DPF
b***@vacation.karoshi.com
2004-09-29 02:01:45 UTC
Permalink
Post by David Farrar
ccTLDs discussed this issue at July ICANN. Don't take this as gospel, but I
don't think a single medium or large ccTLD is going to implement DNSSEC
unmodified.
I know of three that have indicated a rapid adoption of DNSSEC
is planned, once the IETF nails the specs. Rumour has it that
the IESG has ok'ed them, code is available.... give the registries
3-9months to hammer out the backoffice issues and I posit visable
DNSSEC signed zones mid-2005

then there are the other TLDs and the infrastructure stuff...
Verisign has an active testbed for signed .NET entries and
RIPE is certainly headed in the direction of signed reverse
trees.
Post by David Farrar
In fact the Europeans have said their privacy laws would give
them grief if they do. They, like .nz, are keen to be able to implement
DNSSEC and some of them are working on the patches I referred to. By the
end of the year it may be clear what is happening.
Some europeans have said the EU privacy laws are not germaine
to the DNS, since personal data is never exposed. Thats in
the whois data.
And it might be worthwhile to look at the recent APNIC policy
of restricting public access to registration data.

patches will have to go through the IETF and have code
written... there will likely be a several year wait
for such to be visable. meanwhile, the number of zones
protected by DNSSEC will grow. --- he sez looking into
his crystal ball... :)
Post by David Farrar
DPF
--bill
David Farrar
2004-09-29 01:56:17 UTC
Permalink
-----Original Message-----
Sent: Wednesday, 29 September 2004 1:11 p.m.
To: Juha Saarinen
Subject: Re: [nznog] so ... what is the real reason there is
whois anyway?
Post by Juha Saarinen
Post by b***@vacation.karoshi.com
so... which is operationally more important,
DNS
or
whois?
which would you rather see turned off?
Turning off (or just anonymising) whois wouldn't break the
Intarweb,
Post by Juha Saarinen
but it would have seriously undesirable effects.
Interweb?
what side effects do you think accrue from the effect of
turning off or anonymising whois? (both good and bad)
what side effects do you think accure from the effect of
turning off the DNS (both good and bad) ** i posit that
it is not reasonable to consider "anonymising" the DNS.
Just on that point, InternetNZ has just set up a working group
(http://www.dnc.org.nz/story/30180-29-1.html) to review the whois policy.
As far as I know the "great and holy powers that be" don't have any
pre-ordained conclusions as to the outcome, so once they call for it,
submission on desired changes will be most useful.

The whois issue is pretty controversial as internationally free speech
advocates, anti spam forces, law enforcement agencies, consumer and privacy
groups, technical groups all have fairly strong and difficult to reconcile
views on what data should be made available in response to whois queries.

If one did not have address, fax and e-mail data listed in the whois, then
there would be far less of a reason to restrict zone file transfers. But a
lot of people find that whois data very useful for legitimate reasons.
Thuis current policy is to list it all, but restrict bulk access to it, as
best as possible.


DPF
Robert Gray
2004-09-30 07:57:14 UTC
Permalink
Post by David Farrar
Just on that point, InternetNZ has just set up a working group
(http://www.dnc.org.nz/story/30180-29-1.html) to review the whois
policy. As far as I know the "great and holy powers that be" don't have
any pre-ordained conclusions as to the outcome, so once they call for
it, submission on desired changes will be most useful.
Sadly, this level of openness to other views was not something I found
within InternetNZ. The actual position of the .nz name holder appears to
Post by David Farrar
However the zone walking issue
is not a trivial one, and has put a major spanner in the works. If a
solution or workaround to it eventuates, then the original planned
implementation can happen. In the short-term I think we just have to wait
and see what eventuates.
Basically I read if you want DNSSEC, find another zone.

This does seem a strange outcome when the community of interest (NZNOG)
appear to want to see DNSSEC progress. (Yes I know the wider community
have interests however I suspect that there is insufficient
understanding of the issues for meaningful public debate to occur)

I suggest that those who support the call for trial implementation of
DNSSEC for .geek.nz and email InternetNZ (preferably off list), David
may be able to suggest the right course of action

Bob Gray
Keith Davidson
2004-09-30 08:24:42 UTC
Permalink
Post by Robert Gray
Basically I read if you want DNSSEC, find another zone.
Hmmm - which zones are offering DNSSEC currently?
Post by Robert Gray
This does seem a strange outcome when the community of interest (NZNOG)
appear to want to see DNSSEC progress. (Yes I know the wider community
have interests however I suspect that there is insufficient understanding
of the issues for meaningful public debate to occur)
I suggest that those who support the call for trial implementation of
DNSSEC for .geek.nz and email InternetNZ (preferably off list), David may
be able to suggest the right course of action
InternetNZ has already agreed to implement DNSSEC. Waiting for the
resolution of the issue of "walking the zone" appears prudent. Being the
first ccTLD to implement DNSSEC in its current form, purely to satisfy a
handful of NZNOGers, is hardly a responsible stewardship of the .nz
namespace, imho.

Keith Davidson
Juha Saarinen
2004-09-30 08:27:36 UTC
Permalink
Post by Keith Davidson
Hmmm - which zones are offering DNSSEC currently?
I believe .nl is one.
Post by Keith Davidson
InternetNZ has already agreed to implement DNSSEC. Waiting for the
resolution of the issue of "walking the zone" appears prudent. Being the
first ccTLD to implement DNSSEC in its current form, purely to satisfy a
handful of NZNOGers, is hardly a responsible stewardship of the .nz
namespace, imho.
Would .nz be the first though?
--
Juha
Robert Gray
2004-09-30 19:29:37 UTC
Permalink
Post by Keith Davidson
InternetNZ has already agreed to implement DNSSEC. Waiting for the
resolution of the issue of "walking the zone" appears prudent.
The debate about "walking the zone" has centered on whether this is
actually an issue, luminaries such as Joe Abley and Bill Manning have
suggested that it is not. Others, well DPF, has suggested that it is.
Post by Keith Davidson
Being the
first ccTLD to implement DNSSEC in its current form, purely to satisfy a
handful of NZNOGers, is hardly a responsible stewardship of the .nz
namespace, imho.
I don't recall any one on this list advocating that .nz should be first,
certainly I did not. Andy suggested that an implementation in .geek.nz
would be a sensible trial to determine if the societies fears are be
groundless or others.

That the society wishes to ignore the views, however well informed, of a
"handful of NZNOGers" speaks volumes about the need for industry
membership of InternetNZ. Why pay money to be ignored when you can be
ignored for free.
--
Robert Gray
***@brockhurst.co.nz
David Farrar
2004-09-29 02:35:26 UTC
Permalink
-----Original Message-----
Sent: Wednesday, 29 September 2004 2:02 p.m.
To: David Farrar
Cc: 'NZ NOG'
Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
patches will have to go through the IETF and have code
written... there will likely be a several year wait
for such to be visable. meanwhile, the number of zones
protected by DNSSEC will grow. --- he sez looking into
his crystal ball... :)
I should point out that there is no barrier to signing the .nz zone itself
as the contents of that zone are well known and public (only 14 records).

The issue is with signing the 2LDs.

It is possible that in a moderated 2LD such as govt.nz, the 2LD community
and moderator might decide that they don't mind their zone file being
accessible (as I suspect almost all govt.nz domains are easily found or
listed anyway), and one could implement DNSSEC just on that 2LD.

DPF
Perry Lorier
2004-09-29 02:45:54 UTC
Permalink
Post by David Farrar
I should point out that there is no barrier to signing the .nz zone itself
as the contents of that zone are well known and public (only 14 records).
The issue is with signing the 2LDs.
It is possible that in a moderated 2LD such as govt.nz, the 2LD community
and moderator might decide that they don't mind their zone file being
accessible (as I suspect almost all govt.nz domains are easily found or
listed anyway), and one could implement DNSSEC just on that 2LD.
Isn't this what geek.nz was originally for ?[1]


[1]: http://troublemaking.geek.nz/doc/geek-implementation-02.html
Joe Abley
2004-09-29 02:51:04 UTC
Permalink
Post by David Farrar
It is possible that in a moderated 2LD such as govt.nz, the 2LD community
and moderator might decide that they don't mind their zone file being
accessible (as I suspect almost all govt.nz domains are easily found or
listed anyway), and one could implement DNSSEC just on that 2LD.
I suspect almost all co.nz, org.nz, gen.nz, etc zones are just as easy
to find as the zones under govt.nz. I don't really understand why
you've singled out govt.nz for special treatment in this thought
experiment.

However, it sounds very much like the .nz manager has already made up
its mind on this regardless of the opinions of anybody here, so there
doesn't seem to be much point in throwing any more logic at the policy.

(And to all the people who sent me private mail saying "but what about
geek.nz? That's going to be signed, because that's what it was created
for." Yeah, that's what I thought too. Apparently not.)


Joe
Andy Linton
2004-09-29 03:28:18 UTC
Permalink
Post by Joe Abley
(And to all the people who sent me private mail saying "but what about
geek.nz? That's going to be signed, because that's what it was created
for." Yeah, that's what I thought too. Apparently not.)
I'm pretty sure I recall discussions with the DNC about the setting up of
'geek.nz' where we asked about getting the zone signed and agreed to wait
until the whole of .nz would be signed. The discussion went along the lines
'you want DNSSEC signing of the new 'geek.nz' zone? that's a good idea. why
don't we do it for all of NZ'

Now there appear to be doubts from the managers of the nz tld about signing
the whole zone - I don't agree with them but if that's their stance, can we
have signing of geek.nz back on the agenda please.

This will do two things:

1) It will provide operational experience in doing the DNSSEC thing
2) It will provide a test bed to see if those in 'geek.nz' get scammed,
spammmed, slammed, jammed, damned .... as a result.
Keith Davidson
2004-09-29 03:49:12 UTC
Permalink
Why is it that IANA and the Root Server operators seem generally averse to
using DNSSEC in its current form?

Keith Davidson
Post by Andy Linton
I'm pretty sure I recall discussions with the DNC about the setting up of
'geek.nz' where we asked about getting the zone signed and agreed to wait
until the whole of .nz would be signed. The discussion went along the
lines 'you want DNSSEC signing of the new 'geek.nz' zone? that's a good
idea. why don't we do it for all of NZ'
Now there appear to be doubts from the managers of the nz tld about
signing the whole zone - I don't agree with them but if that's their
stance, can we have signing of geek.nz back on the agenda please.
1) It will provide operational experience in doing the DNSSEC thing
2) It will provide a test bed to see if those in 'geek.nz' get scammed,
spammmed, slammed, jammed, damned .... as a result.
b***@vacation.karoshi.com
2004-09-29 04:02:20 UTC
Permalink
whatever gixes you that impression?
Post by Keith Davidson
Why is it that IANA and the Root Server operators seem generally averse to
using DNSSEC in its current form?
Keith Davidson
Post by Andy Linton
I'm pretty sure I recall discussions with the DNC about the setting up of
'geek.nz' where we asked about getting the zone signed and agreed to wait
until the whole of .nz would be signed. The discussion went along the
lines 'you want DNSSEC signing of the new 'geek.nz' zone? that's a good
idea. why don't we do it for all of NZ'
Now there appear to be doubts from the managers of the nz tld about
signing the whole zone - I don't agree with them but if that's their
stance, can we have signing of geek.nz back on the agenda please.
1) It will provide operational experience in doing the DNSSEC thing
2) It will provide a test bed to see if those in 'geek.nz' get scammed,
spammmed, slammed, jammed, damned .... as a result.
_______________________________________________
NZNOG mailing list
http://list.waikato.ac.nz/mailman/listinfo/nznog
Joe Abley
2004-09-29 11:18:04 UTC
Permalink
Post by Keith Davidson
Why is it that IANA and the Root Server operators seem generally
averse to using DNSSEC in its current form?
When I talked to John Crain and Doug Barton in Suva at the APNIC
meeting, they told me that they expected the root zone to be signed
according to the current DNSSEC spec within 9 months. They were
speaking for themselves, and not for IANA in any formal sense (but
since IANA pretty much is John Crain and Doug Barton, it's not clear
that IANA's position would be different). I detected no aversion to
DNSSEC in its current form at all.

The root server operators have voiced no concerns, either. In fact,
several of the root server operators have been very active in defining
the current spec of DNSSEC.


Joe
David Farrar
2004-09-29 04:56:22 UTC
Permalink
-----Original Message-----
Sent: Wednesday, 29 September 2004 3:28 p.m.
To: 'NZ NOG'
Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
Post by Joe Abley
(And to all the people who sent me private mail saying "but
what about
Post by Joe Abley
geek.nz? That's going to be signed, because that's what it
was created
Post by Joe Abley
for." Yeah, that's what I thought too. Apparently not.)
I'm pretty sure I recall discussions with the DNC about the
setting up of 'geek.nz' where we asked about getting the zone
signed and agreed to wait until the whole of .nz would be
signed. The discussion went along the lines 'you want DNSSEC
signing of the new 'geek.nz' zone? that's a good idea. why
don't we do it for all of NZ'
Yep that was exactly that. In fact I facilitated the meeting to recommend
this as policy, and got both INZ and NZRS to sign off on implementing
DNSSEC.

However the issue of DNSSEC allowing the zone file to be revealed only
became apparent at a later stage. This meant that implementing DNSSEC would
breach existing .nz policy. This has caused large number of ccTLDs to state
they can not implement DNSSEC unless it is modified.

To find out how best to resolve this issue, a technical staffer was sent to
the last ICANN meeting to get the latest updates from .nl, Steve Crocker,
other ccTLDs about what is probably and possible. The hope is that as
DNSSEC specs had not been signed off, they could be modified to prevent the
publication of the zone. As I said many ccTLDs said they would absolutely
adopt DNSSEC if this issue could be addressed.

The position of .nz is to wait and see the final shape of DNSSEC, and delay
implementation until this is known.
Now there appear to be doubts from the managers of the nz tld
about signing the whole zone - I don't agree with them but if
that's their stance, can we have signing of geek.nz back on
the agenda please.
The problem with this is that geek.nz is unmoderated and that is very
different to a moderated domain. A moderator does effectively speak for
their 2LD registrants. Who speaks for all 500 geek.nz registrants?

Also there could be a significant resistance from registrars to support
DNSSEC, if it only available on 0.3% of .nz domains. And unless there are
Registrars willing to test and implement it, then the Registry can't do
much.

.nz agreed to implement DNSSEC and IPv6 glue to .nz, as requested by various
people last year. It has introduced TSIG for the name servers, it will soon
have Ipv6 glue working and it did agree to implement DNSSEC and had an
implementation schedule drawn up for this. However the zone walking issue
is not a trivial one, and has put a major spanner in the works. If a
solution or workaround to it eventuates, then the original planned
implementation can happen. In the short-term I think we just have to wait
and see what eventuates.

DPF
Joe Abley
2004-09-29 11:52:01 UTC
Permalink
Post by David Farrar
However the issue of DNSSEC allowing the zone file to be revealed only
became apparent at a later stage.
Incidentally, the by-product of NXT (now NSEC) which allows a zone to
be enumerated has been widely publicised for a long time (for years).
It is possible that you're suggesting that this is a new issue, or one
that has only recently been identified by the DNSSEC architects. This
is not true at all.

The NXT-walking feature of DNSSEC was most definitely raised at the
2002 ICANN meeting in Shanghai, to which InternetNZ sent people. I
helped teach a room full of ccTLD operators about DNSSEC immediately
before that meeting (with Bill Manning) and we definitely talked
through slides describing exactly how you could use NXT to extract the
full contents of a zone. The geek.nz/DNSSEC implementation discussions
didn't happen until the end of 2003.

Claiming that the NXT/NSEC-walking issue was not apparent at the time
that InternetNZ undertook to sign all second-level zones under NZ is
just disingenuous.


Joe
David Farrar
2004-09-29 05:35:53 UTC
Permalink
-----Original Message-----
Sent: Wednesday, 29 September 2004 1:56 p.m.
To: 'NZ NOG'
Subject: RE: [nznog] so ... what is the real reason there is
whois anyway?
Post by b***@vacation.karoshi.com
what side effects do you think accure from the effect of
turning off the DNS (both good and bad) ** i posit that
it is not reasonable to consider "anonymising" the DNS.
Just on that point, InternetNZ has just set up a working group
(http://www.dnc.org.nz/story/30180-29-1.html) to review the
whois policy.
As far as I know the "great and holy powers that be" don't
have any pre-ordained conclusions as to the outcome, so once
they call for it, submission on desired changes will be most useful.
Sorry to follow up my own post, but in a coincidence of great timing, the
DNC Office has just a few minutes ago announced (at
http://www.dnc.org.nz/story/30188-29-1.html) that feedback on the whois
policy is now able to be made to the working group. A consultation paper is
at http://dnc.org.nz/content/whois_paper_1.html and it covers what
information should be displayed, what query options there should be, and
security & system access issues.


DPF
Frank March
2004-09-30 21:34:35 UTC
Permalink
-----Original Message-----
From: Robert Gray [mailto:***@brockhurst.co.nz]
Sent: Friday, 1 October 2004 7:30 a.m.
Post by Keith Davidson
InternetNZ has already agreed to implement DNSSEC. Waiting for the
resolution of the issue of "walking the zone" appears prudent.
The debate about "walking the zone" has centered on whether this is
actually an issue, luminaries such as Joe Abley and Bill Manning have
suggested that it is not. Others, well DPF, has suggested that it is.

-----------------------------------
The debate is much wider than this. It amounts to whether or not a
technical standard circumvents a wider policy issue relating to access to
the zone file and WHOIS data. It is an international debate - although as
far as .nz is concerned it is an issue of local Internet community concern.
There is a tension between those concerned with the technical issues
relating to the DNSSEC standard and those concerned with public policy
issues - the problem plainly arises from a failure on the part of the
standards setters to take the wider policy issues into account...
Unfortunate, but certainly understandable.

Whether .geek.nz should have a difference policy set from the other
unmoderated .nz 2LDs was debated at the time it was established... The
outcome has been well canvassed on this list and I will not repeat it.

The policy relating to release of the .nz zone file has been recently
reviewed and all received views taken into account. The zone file will be
released at the discretion of the NZOC and (ultimately) InternetNZ Council
provided that there is a clear public interest and the party concerned is
prepared to sign up to strict usage criteria.

Timing (not the principle) of DNSSEC implementation is also under constant
review.

All of these matters have been debated in public, there are no hidden
agendas, the only concerns have been the best stewardship of .nz in the
interests of all Internet users and, especially, those reliant on the .nz DN
space

According to Robert Gray:

<quote>That the society wishes to ignore the views, however well informed,
of a "handful of NZNOGers" speaks volumes about the need for industry
membership of InternetNZ. Why pay money to be ignored when you can be
ignored for free.</quote>

To which the only response I can make is that democracy does have its
downside for those who find themselves in the minority.


----
Frank March
Chair, .nz Oversight committee

_______________________________________________
NZNOG mailing list
***@list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

http://www.govt.nz - connecting you to New Zealand central & local government services

Any opinions expressed in this message are not necessarily those of the Ministry of Economic Development. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivery to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Please contact the sender and delete the message and any attachment from your computer.
b***@vacation.karoshi.com
2004-10-01 16:27:16 UTC
Permalink
-----Original Message-----
Sent: Friday, 1 October 2004 7:30 a.m.
Post by Keith Davidson
InternetNZ has already agreed to implement DNSSEC. Waiting for the
resolution of the issue of "walking the zone" appears prudent.
The debate about "walking the zone" has centered on whether this is
actually an issue, luminaries such as Joe Abley and Bill Manning have
suggested that it is not. Others, well DPF, has suggested that it is.
-----------------------------------
The debate is much wider than this. It amounts to whether or not a
technical standard circumvents a wider policy issue relating to access to
the zone file and WHOIS data.
flattery will get you nowhere. :) First off, (to Mr Grey)
I made no such suggestion. It is an issue, but the terms of
reference are cloudy. Below is an attempt to clarify.

the technical nits on zone enumeration vis usefulness to
spammers boils down to one of degree. e.g. how much of
the zone is needed to be useful to spammers and how current
the data needs to be.

spammers can and do use existing, well populated caching servers
to harvest domains or will "slow-poll" authoritatve servers to
build up their "client" lists. Coupling this database with
the (unfortunate) IETF sactioned suite of role-accounts gives
the perp a double opt-in database of active email addresses.
No DNSSEC tricks needed.

To protect against caching server pollution, DNSSEC will ensure
you are given back, in your DNSSEC-enabled query, the name of
the NEXT lable in the zone. This can be exploited to
enable "speed-walking" the zone. Trade off is cache server pollution
(injection of false records) vs. the potential of "speed-walking"
the zone.

Again, a question of degree. Remember that the technical standard
(DNS) allows for enumeration, be it partial or full, by using single
queries - and no overt, "wider" policy issues can overlook that
with impunity.

the fine points of "bulk" access, via FTP or AXFR, are well defined
in policies; no problems there. Whois data is almost orthoginal.
If it is released, no amount of DNS "hiding" will help. The
current debate rages around the speed of which one can query the
DNS to build up a copy of the zone data.... again, a question of
degree.

i hope this will be my last word on this topic in this venue.
Frank March
Chair, .nz Oversight committee
_______________________________________________
David Farrar
2004-09-30 23:19:52 UTC
Permalink
-----Original Message-----
Sent: Friday, 1 October 2004 7:30 a.m.
To: Keith Davidson
Subject: Re: [nznog] so ... what is the real reason there is
whois anyway?
Post by Keith Davidson
InternetNZ has already agreed to implement DNSSEC. Waiting for the
resolution of the issue of "walking the zone" appears prudent.
The debate about "walking the zone" has centered on whether
this is actually an issue, luminaries such as Joe Abley and
Bill Manning have suggested that it is not. Others, well DPF,
has suggested that it is.
Post by Keith Davidson
Being the
first ccTLD to implement DNSSEC in its current form, purely
to satisfy
Post by Keith Davidson
a handful of NZNOGers, is hardly a responsible stewardship
of the .nz
Post by Keith Davidson
namespace, imho.
I don't recall any one on this list advocating that .nz
should be first, certainly I did not. Andy suggested that an
implementation in .geek.nz would be a sensible trial to
determine if the societies fears are be groundless or others.
That the society wishes to ignore the views, however well
informed, of a "handful of NZNOGers" speaks volumes about the
need for industry membership of InternetNZ. Why pay money to
be ignored when you can be ignored for free.
I've been trying to wind this thread down, but feel I have to respond to
this. This is getting off-topic for which I apologise - I would suggest any
future correspondence be by direct e-mail or transfer to another appropriate
list.

I resent any implication of a view being ignored. I say that as the person
who spent many hours in trying to make sure that the desire of the geek.nz
proponents for IPv6 and DNSSEC did not undermine geek.nz being approved, and
that .nz did make progress on IPv6 and DNSSEC. Hence I have convened
meetnmgs of interested parties, and got policy approved by InternetNZ. I
have continued to take an active interest in both issues, and was very
disappointed when the zone file issue meant that to proceed would have
breached an already existing policy. And I am sure there would be outrage
if INZ dumped an existing long standing policy, without consultation.

There is a world of difference between a view being ignored, and a view not
being agreed with. I've been at meetings of the InternetNZ Council where I
think I was on the losing side of every vote. That's the nature of things.


And the fact that myself and Keith and others actually front up here and
debate issues, rather than the old days where decisions were never debated
in public, is a good thing IMO. It would in fact be easier to just ignore
what people say as Bob suggests, but I think that is a dumb way to operate.
In fact several people have told me that I should not have responded to
Joe's original e-mail saying he disagreed with the zone file policy, but it
is because I wanted to know his views, I streted what has now become a long
thread.

As someone who is not a technical guru, I treat the views of people like Joe
and Andy with a hell of a lot of respect. But that is different from saying
I am going to agree with them automatically. And while they do a hell of a
lot more than me on DNSSEC, I actually know a hell of a lot more than most
people about how spammers and scammers do use zone file data for purposes
which are highly undesirable.


DPF
Loading...