To:
ietf-provreg@cafax.se
From:
Antoin Verschuren <averschuren@vianetworks.nl>
Date:
Wed, 29 Aug 2001 16:20:10 +0200 (CEST)
In-Reply-To:
<20010829143551.N3901@nohope.patoche.org>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: host transfers -- actually, out-of-zone-glue
On Wed, 29 Aug 2001, Patrick wrote: > And this is totally normal. IP address for your nameservers in > Verisign database are totally useless. The Registry gives strong > hints to Registrar not to register IP address of nameservers outside > of .com/.net/.org. This makes totally sense, and this is why Gandi > does it. I agree with you here Patrick. It's the same as Jaap pointed out. Thanx for you other reply by the way, I agree that NSI made a mess of it's system, and I'm in a long discussion with them. But they remain the registry...:-(, and I have to adapt to their current system to get things done. > > authority to make changes to this registration. As result of this, we > > And you do not need to make changes at all. And there I don't agree. Suppose we want to discontinue our nameserver, and want to do that neatly, so modifying all domains that are delegated to our nameserver to another one. In that case I must be able to make queries in the database for that nameserver, or even change the hostnames for all records that are in the database with that host record. I can immagine that you only allow these queries for the owner of that nameserver, and not for every individual. So registrating who is the authoritative contact for that nameserver is desirable. In that way, I can delete or change that host record as a nameserver, so nobody can use it again for a new registration without my permission. > > cannot make the appropriate changes to these hosts to make them usable for > > our 10.000 domains. Our nameservers are simply hijacked by one person that > > uses our nameserver without our permission. > > This is false. I'm responsible for this nameserver. The registry database at NSI says that this host record is maintained by Gandi, and that Gandi is the only registrar allowed to make changes to this host record. Still, I have no account at Gandi (I'm not a client there) that makes it possible for me to make queries, delete or modify this host record. The only person that is allowed to do this I suppose is the person that originaly used this nameserver for the first time at Gandi. Or doesn't Gandi require a host first to be registrated as a nameserver before domains can be delegated to it ? If a host is not registrated as a nameserver, then what does Gandi do ? Registrate it as a nameserver at all times ? And who is allowed to make changes to that host record ? > > owner of the nameserver (and thus the domain where the nameserver resides) > > You mean owner of nameserver = owner of the domain where the > nameserver resides then. > Ok, I can accept that. But my question remains : How the person who > need to do it can gain authorization from the owner of the nameserver > ? > (in an automated way of course) Once the nameserver is created as a host record, it can be used. If a nameserver is not present as a host record, then no domains can be delegated to it. I think it prevents non delegated domains. Just filling in a bogus hostname (kfjghdfjgh.jghfkjg.com) as a nameserver should be prevented. I think that the least thing you can do is check if the hostname exists. Making the owner of a domain responsible for registrating the nameservers in his domain is I think not a great effort. If one of my clients wants to use a nameserver where I'm responsible for (read, resides in my domain), than he has to make that request with me to registrate that nameserver. Delegation is not someting that stops at a topdomain level. Another solution might be to automaticaly make the owner of the domain the owner of the host record. This would mean that all registries need to talk to eachother, and have the same database structure. But I thought that that was the aim of this working group after all :-) Met groet, VIA NET.WORKS Nederland Antoin Verschuren Provisioning Team Leader tel. + 31 40 2 393 393 fax + 31 40 2 393 311 e-mail : averschuren@vianetworks.nl http://www.vianetworks.nl/