On Fri, Oct 01, 2004 at 09:34:35AM +1200, Frank March wrote:
From: Robert Gray [mailto:email@example.com]
Sent: Friday, 1 October 2004 7:30 a.m.
Keith Davidson wrote:
InternetNZ has already agreed to implement
DNSSEC. Waiting for the
resolution of the issue of "walking the zone" appears prudent.
The debate about "walking the zone" has centered on whether this is
actually an issue, luminaries such as Joe Abley and Bill Manning have
suggested that it is not. Others, well DPF, has suggested that it is.
The debate is much wider than this. It amounts to whether or not a
technical standard circumvents a wider policy issue relating to access to
the zone file and WHOIS data.
flattery will get you nowhere. :) First off, (to Mr Grey)
I made no such suggestion. It is an issue, but the terms of
reference are cloudy. Below is an attempt to clarify.
the technical nits on zone enumeration vis usefulness to
spammers boils down to one of degree. e.g. how much of
the zone is needed to be useful to spammers and how current
the data needs to be.
spammers can and do use existing, well populated caching servers
to harvest domains or will "slow-poll" authoritatve servers to
build up their "client" lists. Coupling this database with
the (unfortunate) IETF sactioned suite of role-accounts gives
the perp a double opt-in database of active email addresses.
No DNSSEC tricks needed.
To protect against caching server pollution, DNSSEC will ensure
you are given back, in your DNSSEC-enabled query, the name of
the NEXT lable in the zone. This can be exploited to
enable "speed-walking" the zone. Trade off is cache server pollution
(injection of false records) vs. the potential of "speed-walking"
Again, a question of degree. Remember that the technical standard
(DNS) allows for enumeration, be it partial or full, by using single
queries - and no overt, "wider" policy issues can overlook that
the fine points of "bulk" access, via FTP or AXFR, are well defined
in policies; no problems there. Whois data is almost orthoginal.
If it is released, no amount of DNS "hiding" will help. The
current debate rages around the speed of which one can query the
DNS to build up a copy of the zone data.... again, a question of
i hope this will be my last word on this topic in this venue.
Chair, .nz Oversight committee