Home page logo
/

interesting-people logo Interesting People mailing list archives

Re: Govt refuses to disclose .gov domain names
From: David Farber <dave () farber net>
Date: Tue, 3 Mar 2009 08:54:20 -0500



Begin forwarded message:

From: Steve Crocker <steve () shinkuro com>
Date: March 3, 2009 8:42:35 AM EST
To: dave () farber net
Cc: Steve Crocker <steve () shinkuro com>, "ip" <ip () v2 listbox com>
Subject: Re: [IP] Re:   Govt refuses to disclose .gov domain names

[Resending with small typo fixed]

Dave, et al,

When DNS was designed many years ago, there was no concern about disclosure of names within a subdomain. Over a long period of time, a large portion of the community has come to consider this sensitive information. I won't argue the merits here. I am simply reporting a very clear shift in thinking that's taken place over a period of perhaps two decades. In many countries, the top level domain operators cite privacy laws as their reason for not disclosing the domain names.

In the original design of DNSSEC, the security protocol for DNS, a side effect of the mechanism (NSEC) within the design that provides an authenticated declaration that a requested subdomain does not exist is an ability to walk the zone efficiently and learn the names of all the subdomains that do exist. This side effect was deemed unacceptable in many quarters, leading to resistance to adopt DNSSEC and an additional round of design to create an alternative mechanism (NSEC3) to provide authenticated declaration of non-existence of a subdomain without disclosing the names of the existing neighbors of the requested name. Adding this additional mechanism has added a couple of years to the deployment of DNSSEC.

Your readers may choose to debate whether disclosure of subdomain names is or is not a security or privacy threat in general, or whether the U.S. Government should choose to disclose the subdomain names under .gov. I am not addressing either of those questions here. What I am saying, however, is that this is not a new question, a large number of zone operators have spoken forcefully on this subject, and, to the surprise of the community that developed the DNS security protocol, the requirement to keep the zone contents private emerged late in the process and had to be accommodated. All attempts to argue that this emergent requirement wasn't really needed -- and there were many -- failed. For what it's worth, the .gov policy is the same as many European countries' policy and others around the world.

Steve



On Mar 3, 2009, at 3:59 AM, David Farber wrote:



Begin forwarded message:

From: "Yiorgos [George] Adamopoulos" <yiorgos () tee gr>
Date: March 3, 2009 4:39:17 AM EST
To: David Farber <dave () farber net>
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] Govt refuses to disclose .gov domain names

On Tue, 3 Mar 2009, David Farber wrote:
The General Services Administration has made the rather surprising claim that it can’t reveal the list of .gov domains because doing so would represent a security risk:

http://www.informationweek.com/news/showArticle.jhtml?articleID=215600330

Interestingly engough I made a similar request to the .GR Hostmaster for a list of .GR domain names, back in 2007. The response that I got was that it was prohibited by their security policy.

What I can only speculate is, that given a list of domains, one can easily create fairly accurate spam lists and spam all of them. Depending the organization this may or may not seem like a reasonable precaution.

--
#include <std/disclaimer.h>



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault