On Fri, Oct 01, 2004 at 09:34:35AM +1200, Frank March wrote:
-----Original Message----- From: Robert Gray [mailto:bob(a)brockhurst.co.nz] Sent: Friday, 1 October 2004 7:30 a.m. Keith Davidson wrote:
InternetNZ has already agreed to implement DNSSEC. Waiting for the resolution of the issue of "walking the zone" appears prudent.
The debate about "walking the zone" has centered on whether this is actually an issue, luminaries such as Joe Abley and Bill Manning have suggested that it is not. Others, well DPF, has suggested that it is.
----------------------------------- The debate is much wider than this. It amounts to whether or not a technical standard circumvents a wider policy issue relating to access to the zone file and WHOIS data.
flattery will get you nowhere. :) First off, (to Mr Grey) I made no such suggestion. It is an issue, but the terms of reference are cloudy. Below is an attempt to clarify. the technical nits on zone enumeration vis usefulness to spammers boils down to one of degree. e.g. how much of the zone is needed to be useful to spammers and how current the data needs to be. spammers can and do use existing, well populated caching servers to harvest domains or will "slow-poll" authoritatve servers to build up their "client" lists. Coupling this database with the (unfortunate) IETF sactioned suite of role-accounts gives the perp a double opt-in database of active email addresses. No DNSSEC tricks needed. To protect against caching server pollution, DNSSEC will ensure you are given back, in your DNSSEC-enabled query, the name of the NEXT lable in the zone. This can be exploited to enable "speed-walking" the zone. Trade off is cache server pollution (injection of false records) vs. the potential of "speed-walking" the zone. Again, a question of degree. Remember that the technical standard (DNS) allows for enumeration, be it partial or full, by using single queries - and no overt, "wider" policy issues can overlook that with impunity. the fine points of "bulk" access, via FTP or AXFR, are well defined in policies; no problems there. Whois data is almost orthoginal. If it is released, no amount of DNS "hiding" will help. The current debate rages around the speed of which one can query the DNS to build up a copy of the zone data.... again, a question of degree. i hope this will be my last word on this topic in this venue.
Frank March Chair, .nz Oversight committee
_______________________________________________