Re: host transfers -- actually, out-of-zone-glue

[Antoin Verschuren <averschuren@vianetworks.nl>]

On Fri, 17 Aug 2001, Jordyn A. Buchanan wrote:

> At 4:52 PM +0200 8/17/01, Jaap Akkerhuis wrote:
> >     A.XXX has name servers NS1.B.YY and NS2.B.YY.
> >     B.YY has name servers NS1.A.XXX and NS2.A.XXX.
> >This is a basic problem. People should not do things like that.  I
> 
> This is a good point, and I wasn't intending to suggest that out of 
> zone glue was the solution.  The B.YY and A.XXX problem is probably 
> not solvable today, but the if both A and B are in .XXX, then the 
> extremely limited view of what sort of glue should exist that Klaus 
> has been advocating is probably too narrow.

This problem is solvable, if all registries treat host records and control
of the host records the same.
I would say that host records always should have a direct connection with
the domainname, meaning that the person responsible for the domainname is
always responsible for (all) the nameservers under that domain.
In the example above, A.XXX should always ask permission to B.YY to use
it's nameservers, and B.YY should register these hosts (NS1.B.YY and
NS2.B.YY) with registry YY and XXX. As maintainer of the domain B.YY I
would not want it to happen in any other way.

This brings me to the point that in this discussion a lot has been said in
favour of a registration system with the priority to domain registration
as a "common practice these days". Recent problems have given me another
thought about a "as liberal as possible" registration procedure.

We are the owner of the domainname vianetworks.nl. The Dutch
domainregistry holds the glue records for ns1.vianetworks.nl and
ns2.vianetworks.nl which is correct.
Now that we want to start using these nameservers for some 10.000
domainnames with Verisign, there is a problem of registrating these hosts.
As it seems, some other party has registered a domain with Gandi using
these nameservers, but without IP addresses. At Gandi, we don't have any
authority to make changes to this registration. As result of this, we
cannot make the appropriate changes to these hosts to make them usable for
our 10.000 domains. Our nameservers are simply hijacked by one person that
uses our nameserver without our permission.

The point that I'm trying to make is that the owner of the nameserver
should always be able to control his host records. If anyone can register
any nameserver, then the risk of non-delegation is higher. People just
simply fill in a nameserver because they have too, without making sure
that nameserver works. As maintainer of ns1.vianetworks.nl, I want to be
sure that all domains delegated to my nameserver work, and I don't want
domains flying around with my nameservers that I'm not aware about. If
anyone wants to use my nameserver, I want to know about that, so I can
make sure it works.
Many registries check delegation before accepting registrations. I'm in
favour of this. gTLD registries do not check delegations, so another
mechanism should be thougth of. This can only made possible if the actual
owner of the nameserver (and thus the domain where the nameserver resides)
can control his host record, and is authoritive for making queries with
each registrar for example.
I also wonder how registration of nameservers will take place in the
future with DNSsec. As far as I can tell, this will probably make it
nessecary that the maintainer of the host record is indeed the owner of
the actual nameserver, because he will have to be able to access the
nameserver and negociate the encryption keys. I'm not too deep in DNSsec,
so perhaps someone else can reflect on this. As far as I understand, the
encryption is between registry-nameserver and registrant-nameserver, and
thus the encryption appointment is made between the nameserver maintainer
and the registry, and not the registrar. So in that case the host
registration is a registry issue and not a registrar issue..
In that case only one host record for a given nameserver can excist, and
should be maintained at the registry. In that case I would certainly
choose for the domain owner to be in control of that record.

Met groet,
VIA NET.WORKS Nederland

 Antoin Verschuren  
 Provisioning Coordinator 
 tel. + 31 40 2 393 393
 fax  + 31 40 2 393 311
 e-mail : averschuren@vianetworks.nl            

 http://www.vianetworks.nl/