-----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Wednesday, 29 September 2004 10:43 a.m. To: David Farrar Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
On 28 Sep 2004, at 18:27, David Farrar wrote:
Umm if the reply won't be off-topic, why do you think restricting access to the entire .nz zone file is a bad thing,
Because being able to do a zone transfer is useful to debug things, and because a policy which prevents enumeration of the records in a zone will block deployment of a signed zone containing NSEC records.
One can apply for zone file access, it just isn't something one gets automatically.
I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all.
It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist.
Actually it is the other way around. Scammers have told us that they use zone files for their scams. This is not hypothethical - this has happened with the .nz zone before it was restricted. And those scammers actually went and defrauded .nz registrants out of hundreds of thousands of dollars by using the zone file to get the whois data (and yes there is significant rate limiting technology used on the whois, but there are also scammers who use thousands of zombie machines to not trigger the restrictions, even if it takes them a couple of months). The scammers have actually said that the zone file data is very useful to them, because otherwise they need to do dictionary attacks on the whois, and they are much much easier to guard against. I discussed the issue whether DNSSEC benefits outweighed the negatives of open zone files with the CEO of .uk. He made the very valid (IMO) point that the volume of complaints they have had about open zone files and whois leading to domain name scams is some thousand times greater than the number of complaints they have had (as in actual damage, not just a possibility) about something which DNSSEC would have fixed. My hope is that the specs for DNSSEC will either be modified to prevent zone files being accessible, or that an acceptable patch will be developed, so DNSSEC can be used on .nz. But if that doesn't happen, well the way I see it that protecting .nz registrants from spam and scams which have already costed .nz registrants hundreds of thousands of dollars (and which did use a zone file), is in the best interests of the Internet community. Anyway thanks for elaborating on your reasons. DPF