To:
ietf-provreg@cafax.se
Cc:
Patrick <patrick@gandi.net>
From:
Antoin Verschuren <averschuren@vianetworks.nl>
Date:
Thu, 23 Aug 2001 14:35:13 +0200 (CEST)
In-Reply-To:
<a05100c02b7a2e08c73d8@[192.168.2.116]>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: host transfers -- actually, out-of-zone-glue
On Fri, 17 Aug 2001, Jordyn A. Buchanan wrote: > At 4:52 PM +0200 8/17/01, Jaap Akkerhuis wrote: > > A.XXX has name servers NS1.B.YY and NS2.B.YY. > > B.YY has name servers NS1.A.XXX and NS2.A.XXX. > >This is a basic problem. People should not do things like that. I > > This is a good point, and I wasn't intending to suggest that out of > zone glue was the solution. The B.YY and A.XXX problem is probably > not solvable today, but the if both A and B are in .XXX, then the > extremely limited view of what sort of glue should exist that Klaus > has been advocating is probably too narrow. This problem is solvable, if all registries treat host records and control of the host records the same. I would say that host records always should have a direct connection with the domainname, meaning that the person responsible for the domainname is always responsible for (all) the nameservers under that domain. In the example above, A.XXX should always ask permission to B.YY to use it's nameservers, and B.YY should register these hosts (NS1.B.YY and NS2.B.YY) with registry YY and XXX. As maintainer of the domain B.YY I would not want it to happen in any other way. This brings me to the point that in this discussion a lot has been said in favour of a registration system with the priority to domain registration as a "common practice these days". Recent problems have given me another thought about a "as liberal as possible" registration procedure. We are the owner of the domainname vianetworks.nl. The Dutch domainregistry holds the glue records for ns1.vianetworks.nl and ns2.vianetworks.nl which is correct. Now that we want to start using these nameservers for some 10.000 domainnames with Verisign, there is a problem of registrating these hosts. As it seems, some other party has registered a domain with Gandi using these nameservers, but without IP addresses. At Gandi, we don't have any authority to make changes to this registration. As result of this, we cannot make the appropriate changes to these hosts to make them usable for our 10.000 domains. Our nameservers are simply hijacked by one person that uses our nameserver without our permission. The point that I'm trying to make is that the owner of the nameserver should always be able to control his host records. If anyone can register any nameserver, then the risk of non-delegation is higher. People just simply fill in a nameserver because they have too, without making sure that nameserver works. As maintainer of ns1.vianetworks.nl, I want to be sure that all domains delegated to my nameserver work, and I don't want domains flying around with my nameservers that I'm not aware about. If anyone wants to use my nameserver, I want to know about that, so I can make sure it works. Many registries check delegation before accepting registrations. I'm in favour of this. gTLD registries do not check delegations, so another mechanism should be thougth of. This can only made possible if the actual owner of the nameserver (and thus the domain where the nameserver resides) can control his host record, and is authoritive for making queries with each registrar for example. I also wonder how registration of nameservers will take place in the future with DNSsec. As far as I can tell, this will probably make it nessecary that the maintainer of the host record is indeed the owner of the actual nameserver, because he will have to be able to access the nameserver and negociate the encryption keys. I'm not too deep in DNSsec, so perhaps someone else can reflect on this. As far as I understand, the encryption is between registry-nameserver and registrant-nameserver, and thus the encryption appointment is made between the nameserver maintainer and the registry, and not the registrar. So in that case the host registration is a registry issue and not a registrar issue.. In that case only one host record for a given nameserver can excist, and should be maintained at the registry. In that case I would certainly choose for the domain owner to be in control of that record. Met groet, VIA NET.WORKS Nederland Antoin Verschuren Provisioning Coordinator tel. + 31 40 2 393 393 fax + 31 40 2 393 311 e-mail : averschuren@vianetworks.nl http://www.vianetworks.nl/