RE: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]

[Sheer El-Showk <sheer@saraf.com>]

Actually, all this is missing the point of (James') the original
posting.  What he was complaining about was that the authority to register
a nameserver under a domain resided with the Registrar which held the
domain, not the registrant.  As a registrant I may register domain D1 with
registrar R1, but want to register nameserver N1 within D1 (this is an 
important distinction -- the domain of nameservers for a particular
domain is not restricted, eg foobar.com can have ns1.foobar.tv as its
nameserver, but any nameservers being registered _within_ a domain
must be registered by the source of authority for the domain -- the
registrant or the registrar, eg only the owner of foobar.com should be 
able to register the nameserver ns1.foobar.com as a nameserver) with
registrar R2.  James was saying that there should be some kind of token of
authority (a PGP key?? ;->) that allows me as a registrant to do
authoritative things for my domain (like register a nameserver under
it) through any registrar, not just the one with which I registered the
domain.

James, is that right?

If it is, then I am definately in agreement with the general sentiment.  I
don't think we should leave domain name authority in the hands of the
registrars ... that's an implementation issue (ie per registry) and
should certainly not be enforced by the protocol.  I don't think, however,
that this is enough ground to say that Scott's doc is a bad basis for a WG
(I havn't actually looked over the revised version enough to say whether I
like it or not).

Sorry for that complex clarification.  Hope it helps.

Regards,
Sheer

On Mon, 5 Feb 2001, Brian W. Spolarich wrote:

> | If anyone can register ns1.foobar.com & ns2.foobar.com (with IP) then
> | basically anyone can hijack my domain (pointing www.foobar.com to
> | whatever IP, etc...)
> |
> | Thus the nameservers must be only registered by the Registrar who has
> | registered foobar.com, and the Registrar must ensure that only
> | someone with authority on foobar.com (contacts) can create
> | *.foobar.com
> |
> | There is no conflict possible in that case.
> | A given nameserver can only be registered once (even if it is used in
> | many domains) through only a given Registrar.
> 
>   Okay, I get it. :-)  I figured it was something like that, but was having
> a hard time with the language.
> 
>   I don't see as strong of a coupling between the hostnames associated with
> the authoritative nameservers for a domain and the hijacking problem.  It is
> ultimately what shows up in the NS records associated with the domain that
> matters.  I might choose to delegate foobar.com to ns1.myisp.net and
> ns2.myisp.net.  If someone registers nameservers ns1.foobar.com and
> ns2.foobar.com in the registry this is inconvenient and annoying, but not
> really a hijcaking issue.
> 
>   In addition, I'm not sure that this coupling will work well in a very
> distributed context.  Lets say that I own 'foobar.com' today, registered
> through registrar 'spumco' and I have two nameservers running,
> ns1.foobar.com and ns2.foobar.com.  I want to register 'foobar.biz' and
> 'foobar.info', using my current nameservers, ns{1,2}.foobar.com.
> 
>   In order to complete the domain registration I'll have to register my
> nameservers into the .biz and .info registries.  Registrar 'spumco', who
> performed the 'foobar.com' registration, doesn't offer registrations with
> .biz and .info, so I go to registrar 'blammo'.
> 
>   Does this mean that I cannot register my nameservers through 'blammo' with
> .biz because 'spumco' holds the registration for 'foobar' in .com?
> 
>   This seems problematic.
> 
>   As a registrant, the thing that I care about is that the nameservers that
> I registered with my domain don't change unless I explicity authorize the
> change.
> 
>   I'm wondering if the problem here is the idea of having separate
> nameserver and domain objects.  In my mind, the nameserver is an attribute
> of the domain, and doesn't have any independent identity.  What problem does
> having the nameservers as separate entities solve?
> 
>   -bws
>