[ga] Re: Registries & Security Safeguards

[Stephane Bortzmeyer <bortzmeyer@xxxxxx>]

On Thu, Sep 14, 2006 at 11:41:49AM -0700,
 Danny Younger <dannyyounger@xxxxxxxxx> wrote 
 a message of 25 lines which said:

> "An expert 

I may question the word "expert", regarding that document. There is a
lot of FUD, and few technical details (and mostly wrong).

> report released today concluded that in proposals for the .com,
> .biz, .info and .org registries, the Internet Corporation for
> Assigned Names and Numbers (ICANN) has failed to ensure adequate
> security safeguards."

Well, most readers of that list will be happy to learn that the DNS is
at risk because ICANN takes "bottom-up representation" *too* seriously
:-)

> The report, written by leading security technology expert Jerry
> Archer

Sic

> entitled "DNS -- A System in Crisis" recommends that oversight,
> planning and testing provisions be implemented in the proposals to
> run these registries before they are finalized.

Basically, it suggests to move ICANN to a sort of security agency,
exercizing a very close and detailed monitoring of registries. I do
not even know if the US FAA monitors the airline companies as closely
as the "expert" would like the ICANN to monitor the registries
(including "on-site inspections").

Some stupid technical mistakes (the author seems to be very far from
DNS server management):

1) "ICANN has failed to develop competition or otherwise drive
diversity into DNS development, creating a monolithic DNS subject to
systemic attacks.  DNS software is generally some version of
BIND. VeriSign is the notable exception, having developed its ATLAS
system in 2002."

[What, nsd or ANS do not exist? The "expert" does not even know that
Atlas is derived from BIND.]

2) Absolutely no mention of anycast (even when talking about the 2002
attack on the root name servers, which triggered its massive
deployment).