the panix hijacking and icann's transfer policy

Milton Mueller mueller at SYR.EDU
Tue Jan 18 22:18:57 CET 2005


Marc:
Not quite sure whether a TLD wouild have helped panix yet, but I do
know that your analysis of Verisign and DNSSEC is not correct. The
reason DNSSEC cannot be implemented for .com is because there are so
many (tens of millions) of domain names in it. The processing
requirements of DNSSEC applied to that scale is a major problem.

But the root zone, which contains TLD, does not now and never will
contain millions of records.

>>> Marc Schneiders <marc at schneiders.org> 1/18/2005 2:29:29 PM >>>
On Tue, 18 Jan 2005, at 12:04 [=GMT-0500], Milton Mueller wrote:

> This incident underscores one of the reasons why ICANN should have a
> policy of regularly adding TLDs to make them available for those who
> need and can operate them.

Though I agree about adding more TLDs, I don't see how it helps in
hijacking domains.

> Businesses and noncommercial services that depend entirely on a
domain
> name may want to have the option of owning, rather than "renting,"
their
> domain in order to increase security.

Maybe we can learn something from the trade mark people here as
regards ownership of something that can also become defunct, if you
don't use it?

> According to my imperfect
> understanding, it is easier to implement DNSSEC at the TLD level than
at
> the SLD level.

I have little understanding of DNSSEC too. I do understand enough
about it, I think, to know that it would not have helped panix.com.
Also the implementation is most difficult precisely at the TLD level.
An engineer from VeriSign is the one who has time and again pointed
out (on IETF mailing lists, when I still had time to read them) that
the present protocol is impossible for a zone the size of .com. It
would take ages and a very, very powerful machine to sign it.

Marc Schneiders


More information about the Ncuc-discuss mailing list