Home page logo
/

interesting-people logo Interesting People mailing list archives

Re: Govt refuses to disclose .gov domain names
From: David Farber <dave () farber net>
Date: Wed, 4 Mar 2009 05:10:00 -0500



Begin forwarded message:

From: Dave CROCKER <dcrocker () bbiw net>
Date: March 3, 2009 9:08:13 PM EST
To: dave () farber net
Cc: Steve Crocker <steve () shinkuro com>, "ip" <ip () v2 listbox com>, Rich Kulawiec <rsk () gsp org>, "Yiorgos [George] Adamopoulos" <yiorgos () tee gr>, Tom Claburn <tclaburn () techweb com>
Subject: Re: [IP] Re:   Govt refuses to disclose .gov domain names




*From: *Steve Crocker <steve () shinkuro com <mailto:steve () shinkuro com>>
...
When DNS was designed many years ago, there was no concern about disclosure of names within a subdomain.
...
Your readers may choose to debate whether disclosure of subdomain names is or is not a security or privacy threat in general, or whether the U.S. Government should choose to disclose the subdomain names under .gov. I am not addressing either of those questions here.


Dave, et al,

The question that Steve is not addressing is the only one I took from the InformationWeek article: Why did the US Government invoke security concerns in denying a Freedom Of Information Act request? In the context of FOIA, "security" means national security. What is the national threat, in satisfying the request?

There are a variety of security-related DNS issues that are long- standing and are not specific to the US Government.

DNS privacy concerns typically pertain to personal privacy of the domain registrant, notably the associated Whois data, not simply the domain name, itself. The request was not for personal data, nor for Whois data. Remember that domain names in the public DNS are, by definition, public entries. So "privacy" seems doubly irrelevant to this refusal.

Also, as Steve notes, other aspects of DNS infrastructure protection, particularly against spoofing of DNS entries, dates back quite a ways. In fact, the effort on DNSSec was started under my watch as IETF Area Director for Middleware and when Steve was Area Director for Security, roughly 15 years ago.

Domain name scraping, to facilitate spamming, is also a long-standing issue, but with spam consuming 90-98% of the public email traffic, it's difficult to see how divulging .gov domain names will make that problem significantly worse.

If the US Government is concerned about "security" in terms of these long-standing DNS issues, it should say so. If it is concerned about security in terms of a national threat, it should equally explain that.

It should further explain why it the names were previously available, but now are not. What threats have changed?

d/
--

 Dave Crocker
 Brandenburg InternetWorking
 bbiw.net




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]