To:
"Brian W. Spolarich" <briansp@walid.com>
cc:
Patrick <patrick@gandi.net>, James Seng/Personal <James@Seng.cc>, Kent Crispin <kent@songbird.com>, ietf-provreg@cafax.se
From:
Sheer El-Showk <sheer@saraf.com>
Date:
Tue, 6 Feb 2001 10:17:38 -0500 (EST)
In-Reply-To:
<IPEMICCPDPPICMIONJIOKEPGCBAA.briansp@walid.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]
Actually, all this is missing the point of (James') the original posting. What he was complaining about was that the authority to register a nameserver under a domain resided with the Registrar which held the domain, not the registrant. As a registrant I may register domain D1 with registrar R1, but want to register nameserver N1 within D1 (this is an important distinction -- the domain of nameservers for a particular domain is not restricted, eg foobar.com can have ns1.foobar.tv as its nameserver, but any nameservers being registered _within_ a domain must be registered by the source of authority for the domain -- the registrant or the registrar, eg only the owner of foobar.com should be able to register the nameserver ns1.foobar.com as a nameserver) with registrar R2. James was saying that there should be some kind of token of authority (a PGP key?? ;->) that allows me as a registrant to do authoritative things for my domain (like register a nameserver under it) through any registrar, not just the one with which I registered the domain. James, is that right? If it is, then I am definately in agreement with the general sentiment. I don't think we should leave domain name authority in the hands of the registrars ... that's an implementation issue (ie per registry) and should certainly not be enforced by the protocol. I don't think, however, that this is enough ground to say that Scott's doc is a bad basis for a WG (I havn't actually looked over the revised version enough to say whether I like it or not). Sorry for that complex clarification. Hope it helps. Regards, Sheer On Mon, 5 Feb 2001, Brian W. Spolarich wrote: > | If anyone can register ns1.foobar.com & ns2.foobar.com (with IP) then > | basically anyone can hijack my domain (pointing www.foobar.com to > | whatever IP, etc...) > | > | Thus the nameservers must be only registered by the Registrar who has > | registered foobar.com, and the Registrar must ensure that only > | someone with authority on foobar.com (contacts) can create > | *.foobar.com > | > | There is no conflict possible in that case. > | A given nameserver can only be registered once (even if it is used in > | many domains) through only a given Registrar. > > Okay, I get it. :-) I figured it was something like that, but was having > a hard time with the language. > > I don't see as strong of a coupling between the hostnames associated with > the authoritative nameservers for a domain and the hijacking problem. It is > ultimately what shows up in the NS records associated with the domain that > matters. I might choose to delegate foobar.com to ns1.myisp.net and > ns2.myisp.net. If someone registers nameservers ns1.foobar.com and > ns2.foobar.com in the registry this is inconvenient and annoying, but not > really a hijcaking issue. > > In addition, I'm not sure that this coupling will work well in a very > distributed context. Lets say that I own 'foobar.com' today, registered > through registrar 'spumco' and I have two nameservers running, > ns1.foobar.com and ns2.foobar.com. I want to register 'foobar.biz' and > 'foobar.info', using my current nameservers, ns{1,2}.foobar.com. > > In order to complete the domain registration I'll have to register my > nameservers into the .biz and .info registries. Registrar 'spumco', who > performed the 'foobar.com' registration, doesn't offer registrations with > .biz and .info, so I go to registrar 'blammo'. > > Does this mean that I cannot register my nameservers through 'blammo' with > .biz because 'spumco' holds the registration for 'foobar' in .com? > > This seems problematic. > > As a registrant, the thing that I care about is that the nameservers that > I registered with my domain don't change unless I explicity authorize the > change. > > I'm wondering if the problem here is the idea of having separate > nameserver and domain objects. In my mind, the nameserver is an attribute > of the domain, and doesn't have any independent identity. What problem does > having the nameservers as separate entities solve? > > -bws >