To:
"Patrick" <patrick@gandi.net>
Cc:
"James Seng/Personal" <James@Seng.cc>, "Kent Crispin" <kent@songbird.com>, <ietf-provreg@cafax.se>
From:
"Brian W. Spolarich" <briansp@walid.com>
Date:
Mon, 5 Feb 2001 14:29:58 -0500
Importance:
Normal
In-Reply-To:
<20010205200537.W1113@nohope.patoche.org>
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]
| If anyone can register ns1.foobar.com & ns2.foobar.com (with IP) then
| basically anyone can hijack my domain (pointing www.foobar.com to
| whatever IP, etc...)
|
| Thus the nameservers must be only registered by the Registrar who has
| registered foobar.com, and the Registrar must ensure that only
| someone with authority on foobar.com (contacts) can create
| *.foobar.com
|
| There is no conflict possible in that case.
| A given nameserver can only be registered once (even if it is used in
| many domains) through only a given Registrar.
Okay, I get it. :-) I figured it was something like that, but was having
a hard time with the language.
I don't see as strong of a coupling between the hostnames associated with
the authoritative nameservers for a domain and the hijacking problem. It is
ultimately what shows up in the NS records associated with the domain that
matters. I might choose to delegate foobar.com to ns1.myisp.net and
ns2.myisp.net. If someone registers nameservers ns1.foobar.com and
ns2.foobar.com in the registry this is inconvenient and annoying, but not
really a hijcaking issue.
In addition, I'm not sure that this coupling will work well in a very
distributed context. Lets say that I own 'foobar.com' today, registered
through registrar 'spumco' and I have two nameservers running,
ns1.foobar.com and ns2.foobar.com. I want to register 'foobar.biz' and
'foobar.info', using my current nameservers, ns{1,2}.foobar.com.
In order to complete the domain registration I'll have to register my
nameservers into the .biz and .info registries. Registrar 'spumco', who
performed the 'foobar.com' registration, doesn't offer registrations with
.biz and .info, so I go to registrar 'blammo'.
Does this mean that I cannot register my nameservers through 'blammo' with
.biz because 'spumco' holds the registration for 'foobar' in .com?
This seems problematic.
As a registrant, the thing that I care about is that the nameservers that
I registered with my domain don't change unless I explicity authorize the
change.
I'm wondering if the problem here is the idea of having separate
nameserver and domain objects. In my mind, the nameserver is an attribute
of the domain, and doesn't have any independent identity. What problem does
having the nameservers as separate entities solve?
-bws