To:
Klaus Malorny <Klaus.Malorny@knipp.de>
Cc:
Patrick <patrick@gandi.net>, "'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Jordyn A. Buchanan" <jordyn@register.com>
Date:
Tue, 28 Aug 2001 09:16:35 -0400
In-Reply-To:
<3B8A3F60.56821FB4@knipp.de>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: host transfers
At 2:38 PM +0200 8/27/01, Klaus Malorny wrote: >This doesn't make sense, of course. But it's not what I wanted and what I >tried to explain. Anybody should be able to specify any domain name server for >his domain. No more, no less. Without any limitation. The effective control of >access is done on the "physical" level only and not on the "administrative" >level. It's just not the registry's responsiblity to take care of it. As the >registry does not control the name servers - it cannot influence them in any >way - it is absolute senseless to build a mechanism into the registry that >allows or disallows the use of a name server. A name server is only usable for >a different person if the owner of the name server grants the other person to >host his zone on that name server by giving him physical access to that >machine somehow, directly or indirectly. If he denies this, there is no way >for the other person to use that name server. I.e. the owner has full control >over his name server, he can determine by his own means who uses his name >server and who not. Therefore, again, any registry level mechanism is >superfluous and complicates things more than required. This assumes that lame delegations are not bad. (Yes, I know that we can't *prevent* lame delegations, but ensuring that the owner of a name server agrees to the delegation makes them a whole lot less likely.) Theoretically, it could even be possible to formulate a denial of service attack on a name server if you pointed some popular domain names (such as yahoo.com) at a poor, innocent and unsuspecting name server. > > > > Under your scheme, neither of these domains will work. For that >> matter, under your scheme, even if A and B were both in domain XXX, >> they would not work. A modified version of your scheme could fix the >> problem by checking for such situations within a single registry, but >> is utterly unresolvable if the domains are in different registries. > >Yes, I don't dispute this. But first, I think circular references are quite >uncommon. Second, as I said in earlier mails, I believe that it will become >quite common that name servers are registered at different registries and that >this little advantage will disappear. I agree that this is not a common problem, but there's a fairly easy solution at least in the same zone. I think this is actually becoming another issue of registry policy--registries should be able to decide what amount of glue they want to publish. There are reasonable arguments on both sides of this debate, and no fool-proof solution has been presented that solves all of the issues raised. Jordyn