IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: shollenbeck@verisign.com (Hollenbeck, Scott)
Cc: ietf-provreg@cafax.se
From: Bill Manning <bmanning@isi.edu>
Date: Wed, 11 Apr 2001 07:43:48 -0700 (PDT)
In-Reply-To: <DF737E620579D411A8E400D0B77E671D750925@regdom-ex01.prod.netsol.com> from "Hollenbeck, Scott" at Apr 11, 2001 10:10:52 AM
Sender: owner-ietf-provreg@cafax.se
Subject: Re: 3.4/Object Ownership, esp. Name Server Ownership

 This problem exists today. The (correct) answer is that the owner of the 
foo.com object has ultimate say in what is subserviant to the foo.com object,
-REGARDLESS- of which registrar is allowed to make changes to objects 
chained to the foo.com parent object.  One should ensure that the parent
object is now allowed to be deleted without first ensuring that all entries
that are chained have either been moved elsewhere, (www.foo.com -> b.example.net)
or are deleted along with the parent...  sort of like a unix file system...
can't delete the directory w/o removing all the files underneith it.




% The possibility of redirection and DoS attacks increases if multiple
% registrars are capable of registering hosts as name servers.  For example,
% registrar A sponsors foo.com, which has been delegated to ns1.foo.com and
% ns2.foo.com.   Host www.foo.com exists in the foo.com zone.  Registrar B
% registers www.foo.com as a name server object, with an IP address different
% from the one specified in the foo.com zone, resulting in a redirection that
% registrar A (and the registrant of foo.com) can do nothing about without
% explicit action from registrar B, who may refuse to cooperate.  Yes, even
% registrar A can register www.foo.com as a name server and cause problems,
% but with only one registrar involved the problem is _much_ easier to
% resolve.
% 
% If we allow domain objects (such as foo.com) to be deleted without requiring
% deletion or renaming of name server objects (such as ns1.foo.com) registered
% under the domain, we allow creation of orphaned A records.  This doesn't
% have an immediate operational consequence for the DNS (queries for something
% like www.foo.com will yield an NXDOMAIN response), but it does become a
% garbage collection issue in the zone that publishes the glue record for
% ns1.foo.com, which remains after foo.com has been deleted.  This, too, can
% present a denial of service issue when someone re-registers foo.com and they
% try to register a name server named ns1.foo.com, which won't be possible
% because the old ns1.foo.com remains!
% 
% <Scott/>
% 


-- 
--bill

References:
- RE: 3.4/Object Ownership, esp. Name Server Ownership
  - From: "Hollenbeck, Scott" <shollenbeck@verisign.com>

Prev by Date: Re: Nameserver MUST HAVE IP
Next by Date: Re: Nameserver MUST HAVE IP
Prev by thread: RE: 3.4/Object Ownership, esp. Name Server Ownership
Next by thread: Re: 3.4/Object Ownership, esp. Name Server Ownership
Index(es):
- Date
- Thread

Home | Date list | Subject list