New top-level domains a money grab and a mistake: Paul Vixie

DNS is what makes the internet relevant, says Vixie, with ICANN caving in to demands from the companies it's meant to be regulating indicating corruption.
Written by Stilgherrian , Contributor

Dr Paul Vixie, a pioneer of the internet's domain name system (DNS), has lashed out at the creation of hundreds of new top-level domains, ranging from .dog to .horse, and .cool to .porn, labelling them a money grab and a mistake.

Vixie, who is now the chief executive officer of Farsight Security, was speaking at the Ruxcon information security conference in Melbourne on Sunday about the importance of securing the internet's DNS infrastructure.

In response to an audience question about the Internet Corporation for Assigned Names and Numbers (ICANN) decision to create some 1900 new top-level domains in this first round alone, Vixie was blunt.

"I think it is a money grab. My own view is that ICANN functions as a regulator, and that as a regulator it has been captured by the industry that they are regulating. I think that there was no end-user demand whatsoever for more so-called DNS extensions, [or] global generic top-level domains (gTLDs)," he said.

Vixie sees the demand for the new domains as having come from "the people who have the budget to send a lot of people to every ICANN meeting, and participate in every debate", that is, the domain name registrars who simply want more names to sell, so they can make more money. But these new domains don't seem to be working.

"They're gradually rolling out, and they are all commercial failures," Vixie said.

"I'm sure that there will be another 2,000 of them sold, because $185,000 to pay the application fee for each one [is] chump change to the companies who want to make money doing this."

In Vixie's view, creating the new domains goes against ICANN's purpose.

"ICANN is a 501(c)(3) non-profit public charity [under the California Nonprofit Public Benefit Corporation Law], and their job is to serve the public, not to serve the companies... I think that until they can come up with an actual public benefit reason they should be creating more of these, they've got no cause to act," Vixie said.

"There should be no price at which you can buy .microsoft, but there is, and that's a mistake. That indicates corruption, as far as I'm concerned."

Vixie told his Ruxcon audience that while the internet has of course to enable global commerce, it has also enabled global crime. "Little old ladies" are no longer just able to be mugged in the street, they can now effectively be mugged from another country, with a much smaller chance of the criminal ever being caught.

"We have vastly increased the number of people who can attack our parents, and that bothers me. That is one of the reasons I chose internet security after I stopped being a developer, because I feel somewhat responsible for this, and I think that we have to do something about this," Vixie said.

"On the other hand, the criminals are very good. They recognise that they've got a good thing going here, and they exert constant market pressure of their own," he said.

That's one reason that domain names now cost "effectively nothing", because they can be bought with a stolen credit card, or in bulk for just pennies.

"The WHOIS privacy industry would not exist if not for criminals," Vixie said.

"There are plenty of folks [who] would like to say [that] for civil society purposes we need the ability for dissidents to register a domain name and complain about their own government, and not have to worry about getting their doors kicked in. Frankly, that is not a realistic scenario, and that is not the way that WHOIS privacy gets used," he said.

"We've also seen through Brian Krebs' work, there are plenty of registrars, registries, and ISPs that specialise, they cater to the criminal element. We've got businesses that exist for no purpose other than to enable the dark side of the economy. I hate that. And it is DNS, again, that makes all of that possible."

Vixie pointed out a clear difference between WHOIS and DNS, however.

"WHOIS, you can lie. You can put in an address that is not your own, or you can pay some WHOIS privacy provider to hide the identity of your domain name registration, or your IP address registration. And so investigators, both criminal and civil, have long learned that WHOIS is probably not going to help them much. They check it, but they don't expect any results," he said.

"DNS is not like that. If you lie in DNS, your sh*t doesn't work, and that gives us some power. It gives us some leverage."

Vixie called for Ruxcon attendees to implement technologies that can improve the integrity of DNS, because right now it can't be trusted -- technologies such as the Domain Name System Security Extensions (DNSSEC), DNS Response Rate Limiting (DNS RRL), and DNS Response Policy Zones (DNS RPZ).

DNSSEC, for example, generates big, cryptographically-signed responses, requiring more network resources than the lightweight responses of standard DNS, and it has "a whole lot of bugs", but it also has an upside.

"You can successfully authenticate that a response that came to you through the DNS came from the person whose domain name that is. That sounds like we wouldn't have an internet if we didn't have that, but in fact we don't have that. DNSSEC is not widely practised, so there is no reason at all for you to have any confidence in any response that you get from the DNS today," Vixie said.

"If you are deciding whether or not to trust somebody, or whether they are or are not your bank, based on what comes out of the DNS, then you're being naive. So you need this, [but] unfortunately you need everybody else to have it too, and they don't."

Vixie is therefore always interested in increasing the update of DNSSEC, despite its flaws.

"It will cause your pager to go off more, because if you validate responses, then every time somebody else screws up their key, you will hear about it. It'll be fun. You should try it."

Vixie also called for the replacement of the X.509 Certificate Authority (CA) system that's used to authenticate the encryption keys used by SSL and other encrypted internet protocols.

"The X.509 CA market is a disaster. There are 2000 or so companies out there who can create keys that all of our browsers will then believe the signatures from, and we have no accountability. We have no goddam idea who these 2000 companies are, except we know at least half of them are shell companies owned by nation states, so that they can create, when they need them, a key that matches their victim, so that they can intercept an SSL session somewhere without causing a pop-up," Vixie said.

"OK, this is a mistake. We need a do-over. DANE is that do-over," he said, referring to DNS-based Authentication of Named Entities.

"Instead of asking the X.509 CA in the keys file on your hard drive whether it trusts something, you go into the DNS and ask, 'What should the signature on this key be, and was that signature itself signed in DNSSEC so that I can trust it?', Vixie said.

"If we can get that working, that will be huge. It'll cost us a lot, because DNSSEC is flaky, but it will save us so much more than it will cost us, that we have to continue with this, even though I really view DNSSEC as a disaster, technically speaking."

DNS RRL throttles the frequency at which DNS information can be requested, reducing the the ability for DNS to be used in distributed denial of service (DDoS) attacks.

DNS RPS is system for using the knowledge held in DNS to create firewall rules. For example, you can prohibit connections from any domain that resolves to an IP address block known to have been associated with criminal activities.

"We have tested this where a single low-powered primary server containing your policy can have, let's say, 100 updates a second, which is insane, and 10,000 different customers subscribing to it, and it all just works," Vixie said.

DNS RPZ is already part of the BIND 9 DNS server, and will soon be included in Knot DNS from CZ.NIC, and in PowerDNS. Vixie said that "six or ten" companies are already publishing firewall rules in a suitable format.

Heading off criticism that DNS-based blocking is something that he campaigned against in his fight against the US Stop Online Piracy Act (SOPA) legislation, Vixie said it's all about choice.

"If you want to go do DNS blocking for yourself, go right ahead," he said.

"If you're going to mandate that it happen everywhere, and that all ISPs do it, that has a certain other impact. And it doesn't matter RPZ or other technology is used to create the impact that you don't want, it's the mandating thing that can't be done."

Editorial standards