Sorry for my mail being sent twice. My mailserver did some strange
things.
Anyway, my response is below:
Dr Eberhard W Lisse schreef op 2025-01-22 16:38:
While fully agreeing with Michele, some remarks from a ccTLD Manager's
perspective:
On 2025/01/22 17:50, Michele Neylon - Blacknight wrote:
So you want to create a level of complexity and extra work for
everyone? As a registrar that’s my read on this.
If you want to avoid hijacking then “registry lock” in one of its
flavours gets you there. And DNS records existing where they
shouldn’t can also be fixed by other means.
New EPP extensions *might* work for *some* registrars who *might*
implement them, but a lot won’t, because it’s non-standard, whereas
other processes already exist that do not require lots of extra
code. And of course this also assumes that people’s “registrars”
are actually registrars and not resellers of a registrar, so more
complexity.
[...]
Besides 'domain ownership' being an intriguing issue by and in itself,
in reality a user neither knows what any of this is about, nor cares.
Well, the user doesn't actually has to care, right? The DNS provider
wants a way to have proof to solve the issues I mentioned earlier. This
can be done with nameservers or with the new extra ZDVT record, but in
both cases, it is just information that has to be sent from the "DNS
operator" to the "Domain manager" (unless it is the same person). I
honestly don't see the problem with one extra value of information.
We see scenarios like this regularly:
Janice in Accounting (the one who don't give an eff :-)-O) doesn't
know why they are paying a small amount to an unknown company and
stops it.
After a while everybody wonders why nothing works any longer and it
is a long, difficult and expensive exercise to find out that the
domain name hasn't been renewed.
If it hasn't been drop caught (which within .NA is rare, tbh)
To expect them to pass tokens around?
Well, it is not a token that has to be secure. Everybody can query it
using the DNS protocol. It is just some extra information, so: NS record
{ns1.exampledns.com, ns2.exampledns.com} and ZDVT record
{"cloudflare-dns-3v44jkj4324jk"}. Done.
Also, when the domain is killed by Janice, and in the end they find out
it is expired or deleted, they pay some money to get it out of
quarantine and get the domain is back. This will always be the case,
also without ZDVT records. First of all, the ZDVT records only
disappears when the domain is fully deleted and not restored from
quarantine, I guess. Also, the DNS provider doesn't magically disable
the zone. So restoring the domain in the usual way should gets the
domain back working without redoing the ZDVT record anymore.
We can't even get them to forward auth tokens to their new Registrars
even though we are small so we can even do a little hand holding once
in a while.
Yeah, but in the world of DNS (and domains) we have to work with some
things that can be a little bit complex. I think that DNSSEC is more
complex to setup than ZDVT. I don't expect that I have to deal with
unknowledged people when doing DNS stuff, especially if it is about
security.
On scale? Impractical.
Technically, it can be automated, especially when DNS provider and
registrar are able to talk to each other, so it works on scale.
greetings, el
Ben
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
