Re: host transfers -- actually, out-of-zone-glue

[Antoin Verschuren <averschuren@vianetworks.nl>]

On Wed, 29 Aug 2001, Patrick wrote:

> And this is totally normal. IP address for your nameservers in
> Verisign database are totally useless. The Registry gives strong
> hints to Registrar not to register IP address of nameservers outside
> of .com/.net/.org. This makes totally sense, and this is why Gandi
> does it.

I agree with you here Patrick. It's the same as Jaap pointed out.
Thanx for you other reply by the way, I agree that NSI made a mess of it's
system, and I'm in a long discussion with them. But they remain the
registry...:-(, and I have to adapt to their current system to get things
done.

> > authority to make changes to this registration. As result of this, we
> 
> And you do not need to make changes at all.

And there I don't agree. Suppose we want to discontinue our nameserver,
and want to do that neatly, so modifying all domains that are delegated to
our nameserver to another one. In that case I must be able to make queries
in the database for that nameserver, or even change the hostnames for all 
records that are in the database with that host record. I can immagine
that you only allow these queries for the owner of that nameserver, and
not for every individual. So registrating who is the authoritative contact
for that nameserver is desirable. In that way, I can delete or change that
host record as a nameserver, so nobody can use it again for a new
registration without my permission.

> > cannot make the appropriate changes to these hosts to make them usable for
> > our 10.000 domains. Our nameservers are simply hijacked by one person that
> > uses our nameserver without our permission.
> 
> This is false.

I'm responsible for this nameserver. The registry database at NSI says
that this host record is maintained by Gandi, and that Gandi is the only
registrar allowed to make changes to this host record. Still, I have no
account at Gandi (I'm not a client there) that makes it possible for me to
make queries, delete or modify this host record. The only person that is
allowed to do this I suppose is the person that originaly used this
nameserver for the first time at Gandi. Or doesn't Gandi require a host
first to be registrated as a nameserver before domains can be delegated to
it ? If a host is not registrated as a nameserver, then what does Gandi do
? Registrate it as a nameserver at all times ? And who is allowed to make
changes to that host record ?

> > owner of the nameserver (and thus the domain where the nameserver resides)
> 
> You mean owner of nameserver = owner of the domain where the
> nameserver resides then.
> Ok, I can accept that. But my question remains : How the person who
> need to do it can gain authorization from the owner of the nameserver
> ?
> (in an automated way of course)

Once the nameserver is created as a host record, it can be used.
If a nameserver is not present as a host record, then no domains can be
delegated to it. I think it prevents non delegated domains. Just filling
in a bogus hostname (kfjghdfjgh.jghfkjg.com) as a nameserver should be
prevented. I think that the least thing you can do is check if the
hostname exists.
Making the owner of a domain responsible for registrating the nameservers
in his domain is I think not a great effort. If one of my clients wants to
use a nameserver where I'm responsible for (read, resides in my domain),
than he has to make that request with me to registrate that nameserver.
Delegation is not someting that stops at a topdomain level.
Another solution might be to automaticaly make the owner of the domain the
owner of the host record. This would mean that all registries need to talk
to eachother, and have the same database structure. But I thought that
that was the aim of this working group after all :-)

Met groet,
VIA NET.WORKS Nederland

 Antoin Verschuren  
 Provisioning Team Leader
 tel. + 31 40 2 393 393
 fax  + 31 40 2 393 311
 e-mail : averschuren@vianetworks.nl            

 http://www.vianetworks.nl/