Not sure I see the relationship between malware spam and DNSSEC.
See below.
But we have real situtations where the opposite is true,
quite possibly more often than the other way around.
Hmm. Are you talking about SiteFinder-like services?
Not really. There turn out to be a significant number of domains, in the
hundreds of thousands at least, that are purely evil. Some host websites
with drive-by malware installs, with victims pointed there by links in
spam or various malicious SEO tricks in search engines. Some are command
and control (C&C) hosts that existing bots use to update themselves and
get new instructions. Last year the Conficker Working Group did a great
deal of quiet work preemptively registering or reserving the domains that
the conficker 'bot tried to use to contact C&C. See this for more info
http://www.confickerworkinggroup.org/wiki/pmwiki.php/TLD/TLDOperators
They were reasonably successful until the bad guys switched to ccTLDs that
were less cooperative about reserving domains. Unless you are a malware
researcher, it is overwhelmingly likely that any request for one of those
domains is from a 'bot, not from you, and if a large ISP like Comcast
intercepts them, it makes a significant difference to the amount of active
malware on their networks. I have even heard of ISPs redirecting C&C
requests to a local server that sends the bot instructions to turn itself
off. (I don't know whether Comcast does that, and I doubt they'd tell me
if I asked.)
As I said in a previous message, I am not a big fan of rewriting NXDOMAIN,
and I was on one of ICANN's advisory committees and helped them get rid of
Sitefinder, but if an ISP does it on consumer networks where there aren't
supposed to be servers, the damage from doing so is hard to show, so I'm
not inclined to make a big deal about it.
So anyway, there are some good reasons for ISPs to mess with the DNS
results their caches provide their users. If we ask them to use tools
that will keep them from doing so, it won't happen.
R's,
John
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf