Re: [ga] On Its Way: One of the Biggest Changes to the Internet

[jwkckid1@xxxxxxxxxxxxx]

Andy and all,

  Sorry I don't believe I understood your question below
in the context in which I responded to Chris's questions.
But I'll try to answer your question as I "Think" I
understand it in the context in which you ask it.
( See answers below your follow-on questions interspersed
below )

-----Original Message-----
>From: Andy Gardner <andy@xxxxxxxxxxxxxxx>
>Sent: Oct 12, 2007 1:12 AM
>To: ga DNSO <ga@xxxxxxxxxxxxxx>
>Subject: Re: [ga] On Its Way: One of the Biggest Changes to the Internet
>
>
>
>Please explain how a long idn domain beginning with xn-- is somehow  
>more dangerous to the DNS than any other ascii domain name of the  
>same limited character length?

  Ok, as your question reads, the correct simple answer is
it doesn't.  But Chris's question, which I answered on the
previous thread, had nothing to do with "xn" specifically.
However his question and my answer had everything to do with
long domain names and was not specific to ascii.  I did not
assume Chris's question was specific to ascii in my answer,
and I answered in as brief a manner as possible without reveling
how terrorist can or do use long domain names to garble poorly
designed and/or configured DNS applications.  I did not
give specifics as to how long domain names can be used for
hidden constructed mesages for terrorists activities.  
>
>Is xn-- some magical character sequence that terrorists came up with?

No, not as far as I know...
>
>Sheesh. This will be on Fox "News" next.
>
>
>
>On Oct 12, 2007, at 12:27 AM, jwkckid1@xxxxxxxxxxxxx wrote:
>
>>
>> Chris and all,
>>
>>   The answer is yes very easily.  The vulnerability will be
>> higest durring the early testing phase and some brief
>> time after full implimentation given that full implimentation
>> occurs.  I am relitively sure some undisclosed Chinese
>> IT hackers, perhaps working for the Chinese Govt. are
>> already prepaired to proceed accordingly.
>>
>>   Frankly I believe a seperate zone should have been built for
>> the testing phase, and for security reasons down the road
>> I would have insisted that a seperate zone for segmenting
>> off IDN's be maintained indefinately.  Seems the IANA/ICANN
>> is not that concerned for user's security, nor privacy
>> and potential damage which will insue accordingly.
>>
>> -----Original Message-----
>>> From: "Prophet Partners Inc." <Domains@xxxxxxxxxxxxxxxxxxx>
>>> Sent: Oct 12, 2007 12:38 AM
>>> To: ga@xxxxxxxxxxxxxx
>>> Subject: Re: [ga] On Its Way: One of the Biggest Changes to the  
>>> Internet
>>>
>>>
>>> Hi Karl,
>>>
>>> With the potential problems from long IDN names, could poorly  
>>> configured DNS
>>> applications possibly create situations of DNS instability? Could  
>>> criminal
>>> or terrorist organizations launch DoS attacks in this manner?
>>>
>>> Sincerely,
>>> Ted
>>> Prophet Partners Inc.
>>> http://www.ProphetPartners.com
>>> http://www.Premium-Domain-Names.com
>>>
>>>
>>> ----- Original Message -----
>>> From: "Karl Auerbach" <karl@xxxxxxxxxxxx>
>>> To: "Ram Mohan" <rmohan@xxxxxxxxxxxx>
>>> Cc: <ga@xxxxxxxxxxxxxx>
>>> Sent: Thursday, October 11, 2007 9:40 PM
>>> Subject: Re: [ga] On Its Way: One of the Biggest Changes to the  
>>> Internet
>>>
>>>
>>>>
>>>> Ram Mohan wrote:
>>>>
>>>>> Numerous other usability issues exist, including some  
>>>>> interesting ones
>>>>> such as searchability of IDN names and IDN TLDs.
>>>>
>>>> It's been a while since I last scanned SIP VoIP implementations  
>>>> for DNS
>>>> vulnerabilities.
>>>>
>>>> But when I last did it, I found that a lot of VoIP phones had  
>>>> weak DNS
>>>> resolving engines that could be easily confused/killed by long  
>>>> names (and
>>>> IDN names can get long) and long or strange CNAMEs.
>>>>
>>>> (It is amazing the devices than can be sent into the weeds by  
>>>> giving 'em a
>>>> SIP or HTTP URI/URL that contains a domain name that gets mapped  
>>>> via a
>>>> CNAME into something that is either very long or contains the  
>>>> full variety
>>>> of 8-bit characters without honoring the "hostname" character set
>>>> constraint.)
>>>>
>>>> Again, as you say, at the DNS layer, it's all just ASCII labels.   
>>>> And the
>>>> problems I saw weren't IDN problems, just weak DNS implementations.
>>>>
>>>> --karl--
>>>
>> =======
>>
>> 'Regards,
>> Jeffrey A. Williams
>> Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
>> "Obedience of the law is the greatest freedom" -
>>    Abraham Lincoln
>>
>> "Credit should go with the performance of duty and not with what is  
>> very
>> often the accident of glory" - Theodore Roosevelt
>>
>> "If the probability be called P; the injury, L; and the burden, B;  
>> liability
>> depends upon whether B is less than L multiplied by
>> P: i.e., whether B is less than PL."
>> United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
>> ===============================================================
>> Updated 1/26/04
>> CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.  
>> div. of
>> Information Network Eng.  INEG. INC.
>> ABA member in good standing member ID 01257402 E-Mail  
>> jwkckid1@xxxxxxxxxxxxx
>>
>
=======

'Regards,
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx