-----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Wednesday, 29 September 2004 12:57 p.m. To: David Farrar Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
On 28 Sep 2004, at 20:42, David Farrar wrote:
I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all.
It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist.
Actually it is the other way around.
Scammers have told us that they use zone files for their scams.
How many scammers have told you that if it wasn't for zone files being available, they would have no other way to launch their scams?
I think the results speak for themselves. Since the zone file was restricted there have been far fewer scams using the .nz whois data as the old zone files out there get more and more stale. One can never stop scams. One can minimise them though.
My hope is that the specs for DNSSEC will either be modified to prevent zone files being accessible, or that an acceptable patch will be developed, so DNSSEC can be used on .nz.
I don't see any signs that that will happen. I think what is more likely is that DNSSEC will continue to be deployed in other zones, and zones under NZ will remain insecure.
ccTLDs discussed this issue at July ICANN. Don't take this as gospel, but I don't think a single medium or large ccTLD is going to implement DNSSEC unmodified. In fact the Europeans have said their privacy laws would give them grief if they do. They, like .nz, are keen to be able to implement DNSSEC and some of them are working on the patches I referred to. By the end of the year it may be clear what is happening. DPF