Most new domain names are malicious.

I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.

Now that the root zone has been officially signed, what happens with ISC's DNSSEC Look-aside Validation Registry? The short answer is, it gets smaller, but does not go away, at least not today.

While having the root signed is a critically important step in the DNSSEC deployment effort, it is not the final step. It's the one that enables a lot of other zones such as Top Level Domains (TLDs) to be signed usefully. It removes the need for many stop-gap measures like certain TARs, and the need for TLD entries in ISC's DLV system.

To mix metaphors, my e-mail has been ringing off the hook after my previous article ("Perspectives on a DNS-CERT") and I've had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I've had some discussions with ICANN and with members of the DNS-OARC board and staff, and it's time I checkpointed the current state of my thinking about all this.

I seem to read all the time that open source projects must be less secure, since the bad guys can look through the source code to find vulnerabilities. I was pleased to see an article today that takes the point of view that security through obscurity is not the right direction and that open source projects can be more secure than competing proprietary software.