mailing list archives
Re: Govt refuses to disclose .gov domain names
From: David Farber <dave () farber net>
Date: Wed, 4 Mar 2009 05:10:00 -0500
Begin forwarded message:
From: Dave CROCKER <dcrocker () bbiw net>
Date: March 3, 2009 9:08:13 PM EST
To: dave () farber net
Cc: Steve Crocker <steve () shinkuro com>, "ip" <ip () v2 listbox com>, Rich
Kulawiec <rsk () gsp org>, "Yiorgos [George] Adamopoulos"
<yiorgos () tee gr>, Tom Claburn <tclaburn () techweb com>
Subject: Re: [IP] Re: Govt refuses to disclose .gov domain names
*From: *Steve Crocker <steve () shinkuro com <mailto:steve () shinkuro com>>
When DNS was designed many years ago, there was no concern about
disclosure of names within a subdomain.
Your readers may choose to debate whether disclosure of subdomain
names is or is not a security or privacy threat in general, or
whether the U.S. Government should choose to disclose the subdomain
names under .gov. I am not addressing either of those questions here.
Dave, et al,
The question that Steve is not addressing is the only one I took from
the InformationWeek article: Why did the US Government invoke
security concerns in denying a Freedom Of Information Act request? In
the context of FOIA, "security" means national security. What is the
national threat, in satisfying the request?
There are a variety of security-related DNS issues that are long-
standing and are not specific to the US Government.
DNS privacy concerns typically pertain to personal privacy of the
domain registrant, notably the associated Whois data, not simply the
domain name, itself. The request was not for personal data, nor for
Whois data. Remember that domain names in the public DNS are, by
definition, public entries. So "privacy" seems doubly irrelevant to
Also, as Steve notes, other aspects of DNS infrastructure protection,
particularly against spoofing of DNS entries, dates back quite a
ways. In fact, the effort on DNSSec was started under my watch as
IETF Area Director for Middleware and when Steve was Area Director for
Security, roughly 15 years ago.
Domain name scraping, to facilitate spamming, is also a long-standing
issue, but with spam consuming 90-98% of the public email traffic,
it's difficult to see how divulging .gov domain names will make that
problem significantly worse.
If the US Government is concerned about "security" in terms of these
long-standing DNS issues, it should say so. If it is concerned about
security in terms of a national threat, it should equally explain that.
It should further explain why it the names were previously available,
but now are not. What threats have changed?
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com