To:
"Sheer El-Showk" <sheer@saraf.com>, "Brian W. Spolarich" <briansp@walid.com>
Cc:
"Patrick" <patrick@gandi.net>, "Kent Crispin" <kent@songbird.com>, <ietf-provreg@cafax.se>
From:
"James Seng/Personal" <James@Seng.cc>
Date:
Wed, 7 Feb 2001 04:51:24 +0800
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]
Actually I was watching this lively discussion so I didnt want to interrupt. :-) But yea, Sheer got the my point. This is one place whereby certain policy (however reasonable it seem) leak into the requirements/protocols. -James Seng ----- Original Message ----- From: "Sheer El-Showk" <sheer@saraf.com> To: "Brian W. Spolarich" <briansp@walid.com> Cc: "Patrick" <patrick@gandi.net>; "James Seng/Personal" <James@Seng.cc>; "Kent Crispin" <kent@songbird.com>; <ietf-provreg@cafax.se> Sent: Tuesday, February 06, 2001 11:17 PM Subject: RE: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting] > Actually, all this is missing the point of (James') the original > posting. What he was complaining about was that the authority to register > a nameserver under a domain resided with the Registrar which held the > domain, not the registrant. As a registrant I may register domain D1 with > registrar R1, but want to register nameserver N1 within D1 (this is an > important distinction -- the domain of nameservers for a particular > domain is not restricted, eg foobar.com can have ns1.foobar.tv as its > nameserver, but any nameservers being registered _within_ a domain > must be registered by the source of authority for the domain -- the > registrant or the registrar, eg only the owner of foobar.com should be > able to register the nameserver ns1.foobar.com as a nameserver) with > registrar R2. James was saying that there should be some kind of token of > authority (a PGP key?? ;->) that allows me as a registrant to do > authoritative things for my domain (like register a nameserver under > it) through any registrar, not just the one with which I registered the > domain. > > James, is that right? > > If it is, then I am definately in agreement with the general sentiment. I > don't think we should leave domain name authority in the hands of the > registrars ... that's an implementation issue (ie per registry) and > should certainly not be enforced by the protocol. I don't think, however, > that this is enough ground to say that Scott's doc is a bad basis for a WG > (I havn't actually looked over the revised version enough to say whether I > like it or not). > > Sorry for that complex clarification. Hope it helps. > > Regards, > Sheer > > On Mon, 5 Feb 2001, Brian W. Spolarich wrote: > > > | If anyone can register ns1.foobar.com & ns2.foobar.com (with IP) then > > | basically anyone can hijack my domain (pointing www.foobar.com to > > | whatever IP, etc...) > > | > > | Thus the nameservers must be only registered by the Registrar who has > > | registered foobar.com, and the Registrar must ensure that only > > | someone with authority on foobar.com (contacts) can create > > | *.foobar.com > > | > > | There is no conflict possible in that case. > > | A given nameserver can only be registered once (even if it is used in > > | many domains) through only a given Registrar. > > > > Okay, I get it. :-) I figured it was something like that, but was having > > a hard time with the language. > > > > I don't see as strong of a coupling between the hostnames associated with > > the authoritative nameservers for a domain and the hijacking problem. It is > > ultimately what shows up in the NS records associated with the domain that > > matters. I might choose to delegate foobar.com to ns1.myisp.net and > > ns2.myisp.net. If someone registers nameservers ns1.foobar.com and > > ns2.foobar.com in the registry this is inconvenient and annoying, but not > > really a hijcaking issue. > > > > In addition, I'm not sure that this coupling will work well in a very > > distributed context. Lets say that I own 'foobar.com' today, registered > > through registrar 'spumco' and I have two nameservers running, > > ns1.foobar.com and ns2.foobar.com. I want to register 'foobar.biz' and > > 'foobar.info', using my current nameservers, ns{1,2}.foobar.com. > > > > In order to complete the domain registration I'll have to register my > > nameservers into the .biz and .info registries. Registrar 'spumco', who > > performed the 'foobar.com' registration, doesn't offer registrations with > > .biz and .info, so I go to registrar 'blammo'. > > > > Does this mean that I cannot register my nameservers through 'blammo' with > > .biz because 'spumco' holds the registration for 'foobar' in .com? > > > > This seems problematic. > > > > As a registrant, the thing that I care about is that the nameservers that > > I registered with my domain don't change unless I explicity authorize the > > change. > > > > I'm wondering if the problem here is the idea of having separate > > nameserver and domain objects. In my mind, the nameserver is an attribute > > of the domain, and doesn't have any independent identity. What problem does > > having the nameservers as separate entities solve? > > > > -bws > > > > > > >