Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
How a cyber cop patrols the underworld of e-commerce
Kill switches coming to iPhone, Android, Windows devices in 2015
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases

Is domain name system vulnerable to slamming?

Today's breaking news
Send to a friendFeedback

The communications protocol that enables competitive domain-name registration has come under attack by the Internet engineering community for failing to provide adequate precautions against slamming.

Slamming is the unauthorized transfer of customers from one company to another that has plagued the telephone industry.

If domain-name slamming becomes common, companies risk losing ownership of their domain names during registration-oriented transactions, critics charge.

The Registry Registrar Protocol (RRP) lets accredited registrars record .com, .net and .org domain names in a central database operated by Network Solutions, Inc. (NSI) under contract with the U.S. Department of Commerce. NSI wrote RRP, which has been used to support domain name registrations since June, and insists that the protocol offers appropriate protections against slamming.

NSI has asked the Internet Engineering Task Force to publish RRP as an informational document. Recently, however, IETF members have circulated dozens of e-mail messages criticizing the design of the protocol as well as the process by which it was created.

"The protocol submitted by NSI for informal publication by the IETF is too flawed to be considered," says IETF member Ed Gerck, a security specialist who last year served on a panel that advised NSI on the design of a shared registration system protocol. "No one in the IETF [mailing] list supported the protocol as it is."

Patrik Faltstrom, co-director of the IETF's Applications Area and another member of NSI's advisory panel, says the protocol's design and security shortcomings are the result of having a single organization develop it in a short time frame. "I don't think the business requirements [for competitive registration] were available when the protocol started to be designed, so some things, like the transfer of one domain from one registrar to another, were not nailed down properly before someone had to implement it," he says.

RRP handles communications between registrars, which sell registration services to companies and individuals, and the central registry, which serves as the authoritative repository of information about reserved domain names. The protocol does not support communications between registrars and end users who purchase domain names. Based on the Transmission Control Protocol, RRP was deployed in the Commerce Department's Shared Registry System test bed, which ran from April until November of last year.

NSI disagrees with the criticisms leveled against RRP.

"The shared registration system includes multiple levels of security that provide a combination of privacy and authentication services for interaction with licensed and accredited registrars," says Scott Hollenbeck, an NSI engineer who helped draft the protocol. "All of the security layers would have to be breached before an intruder could gain access to private registry systems.

"Slamming is prevented by providing notification of all requested transfers to the current sponsoring registrar," he adds. "Transfers do not take place immediately; the sponsoring registrar has up to five days to respond to the request and may explicitly approve or reject the request at any time within the five-day pending period."

However, IETF members say a flaw exists in the protocol's transfer command, which doesn't specify to which registrar the domain name is to be transferred. Instead, that communication is handled by a separate e-mail. Critics of RRP say this security hole means that in the midst of transferring a domain name from one registrar to another, the owner could lose the domain name to a malicious registrar who then resells the name to someone else.

The IETF leadership is so concerned about RRP's transfer command that it has asked NSI for additional information about how the technology works.

Certificates needed?

Another criticism of RRP is that it uses passwords to identify registrars instead of the more secure method of certificates. Of concern with this approach is that if the central registry is hacked, all the registrars' passwords could be identified and would need to be replaced.

"Digital certificates are required for connection to the RRP service, but user ID and passwords are required to initiate a session," explains Rick Wesson, an IETF member and a senior software engineer at Alice's Registry Tools. "Certificates should be used instead of User ID and passwords."

Internet engineers also complain that RRP uses the Secure Sockets Layer protocol, which doesn't provide an audit trail for resolving domain-name disputes.

Wesson agrees that RRP does not prevent slamming, but he says registrars will have little economic incentive to switch customers without authorization. "A transfer costs [the same as] a one-year renewal, so what incentive does a registrar have to slam if they are not receiving payment before the transfer?" he asks. "Slamming doesn't appear to be a big threat."

Companies concerned about the privacy and security of their domain names should consider becoming an accredited registrar, the IETF's Gerck recommends.

"This is the only way that they could be in control of their Internet identity and deal directly with the registry," he says.



NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.