Re: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]

[Patrick <patrick@gandi.net>]

On Mon, Feb 05, 2001 at 02:29:58PM -0500, Brian W. Spolarich took time to write:
>   I don't see as strong of a coupling between the hostnames associated with
> the authoritative nameservers for a domain and the hijacking problem.  It is
> ultimately what shows up in the NS records associated with the domain that
> matters.  I might choose to delegate foobar.com to ns1.myisp.net and
> ns2.myisp.net.  If someone registers nameservers ns1.foobar.com and
> ns2.foobar.com in the registry this is inconvenient and annoying, but not
> really a hijcaking issue.

Right... because you do not use ns1.foobar.com and ns2.foobar.com as
nameserver. In your case, someone just polluted the database.
As soon as your domain use ns{1,2}.foobar.com, you are hijacked...

That is inconvenient, since when the true owner will want to register
them for its true use, the Registry might not allow him, since they
already exist (with bogus data). How do you control who can change
the IP ?

>   In addition, I'm not sure that this coupling will work well in a very
> distributed context.  Lets say that I own 'foobar.com' today, registered
> through registrar 'spumco' and I have two nameservers running,
> ns1.foobar.com and ns2.foobar.com.  I want to register 'foobar.biz' and
> 'foobar.info', using my current nameservers, ns{1,2}.foobar.com.
> 
>   In order to complete the domain registration I'll have to register my
> nameservers into the .biz and .info registries.  Registrar 'spumco', who

No. You register nameserver with IP in Registry only for nameserver
in the TLDs handled by Registry.
That is Registry for .biz SHOULD not have IP of ns1.foobar.com
In your case you do not have to register ns{1,2}.foobar.com into .biz
and .info Registries. You can merely register them if the registry
has nameserver handle, but you specifically DO NOT assign an IP
address to them (the Registrar should take care of that)

>   As a registrant, the thing that I care about is that the nameservers that
> I registered with my domain don't change unless I explicity authorize the
> change.

That is the case, since you can register nameserver only in a given
TLD and only through a given Registrar. That is once only in all
cases.

>   I'm wondering if the problem here is the idea of having separate
> nameserver and domain objects.  In my mind, the nameserver is an attribute
> of the domain, and doesn't have any independent identity.  What problem does
> having the nameservers as separate entities solve?

If you use nameserver in the domain, you need glue records, ie the
Registry needs to know the IP address of these nameservers.

If you consider the nameserver as an object (attributes : a name and
many IP), with an handle for example (like at NSI now), many domains
can use the same nameserver object. 
If its IP change you have one change to do (in the nameserver
object). Otherwise you will need to change the IP of the nameserver
in all domain names using this nameserver. That is why things are
separate I think.

Patrick.