NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Message-ID:
Sender:
NCSG-Discuss <[log in to unmask]>
Subject:
From:
Timothe Litt <[log in to unmask]>
Date:
Sun, 10 Aug 2014 07:06:36 -0400
Content-Type:
multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070601020407010707030508"
MIME-Version:
1.0
Reply-To:
Timothe Litt <[log in to unmask]>
Parts/Attachments:
text/plain (11 kB) , smime.p7s (5 kB)
On 09-Aug-14 15:48, Dan Krimm wrote:
> <pre wrap>
> I'm sympathetic with this point of view.  Technical issues should be able
> to be quickly resolved, and it should therefore be possible to identify a
> technical contact quickly when something technical is going wrong.  I
> emphasize the word "technical" here quite pointedly.
>
> (For example, trademark issues are for the most part not technical -- they
> mostly do not affect the technical function of the network.  And any
> relevant impacts are the ultimate responsibility of non-technical domain
> owners, not technical staff.)
Yes, and that's why WhoIS has separate contact information for
Registrant, Administrative, and Technical contacts.

[Definitions:
  Registrant: the 'owner' of the domain name; legally responsible
  Administrative: Contact for billing,
renewal/expiration/cancellation/transfer
  Technical: Contact for operational issues: malfunctioning servers,
network issues]

Note that a trademark holder also deserves a timely response -- as a
technical person,
I might argue it doesn't need to be quite as timely (trademark affects
the competing
entities, not the whole network).  But still timely in that context.

>
> Privacy issues arise mostly for "small" domain owners (like myself)
> that do
> not have the "corporate veil" to protect personal identification
> information with a "corporate front".  I don't know the statistics, but I
> would not be surprised if the substantial majority of second-level domain
> owners actually consists of small entities such as myself -- private
> individuals, sole proprietors, small businesses.
>
I am such a domain owner.  Privacy is important - I said that.  A
suitable anonymous
proxy service can meet both objectives - as long is it ensures timely
delivery.  That
includes both electronic delivery and physical delivery (e.g. service of
process.)

I've said that many times too.

What is NOT acceptable is providing false, unresponsive, obscured or no
information.

Registrars could help by defaulting their technical contact contact
information when
their servers are used and prompting for technical contact information
when other
name servers are registered.  Typically, they don't - and registrants
either enter their own
information (but don't know how to respond), or not wanting to be
annoyed, enter
false/random data.

Abuse of WhoIS data (including trolling it for spam) is a separate
issue.  Spam delivered
through a privacy proxy is no more nor less obnoxious than other spam. 
One advantage
of a privacy proxy is that the registered (in whois) address can be
changed periodically
 - thus invalidating the spammer's illicit lists. [This has to be done
in a manner that doesn't impact legitimate use.  I won't specify how
here, but it's
quite doable.]

> And many of such small domain owners use domain-hosting services, and the
> technical contacts at those hosting services presumably should be the
> first
> point of contact for technical network issues.  (There could be technical
> content issues associated with web servers, but those are by and large
> distinct from network technical issues.)
>
The WhoIs technical contact is for generic network technical issues
traced to a domain.
These may be DNS server issues;  however, it is also used for network
routing/protocol
violation/denial of service source reporting and other issues not
specific to a higher
level protocol (e.g. http, smtp, ftp, imap, pop,bittorrent, etc).

Websites should, as good practice have a contact method (typically
'contact webmaster')
on their site (at least the home page), but that's out of scope for
WhoIS.  E-mail servers
are required (by the SMTP RFCs) to respond to 'Postmaster'.  Other
services have other
conventions.  Sadly, these days many sites don't conform to those
RFCs/conventions,
but again, that's out of scope of WhoIS.

I guess I should also mention that WhoIs also operates on IP addresses,
not just domain
names. (e.g. 
http://whois.arin.net/rest/nets;q=8.8.8.8?showDetails=true&showARIN=false&ext=netref2)
That fact is rarely mentioned here...though contact issues are similar.


> One of the things I look forward to in the future of the Internet is an
> even broader proliferation of domain ownership by Little Guys like me, but
> in that event we need to protect us Little Guys as if we were individual
> citizens, not treating us as if we were big corporations with more layers
> and resources for dissociating individuals from corporate activity.
>
No disagreement.  See my **many** pleas on this list for considering
**individual**
registrants, not just non-commercial corporations.  For example, I've
pointed out
that we individual registrants can't protect our domain names, since a
Trademark,
by definition, is a mark used in commerce...  (Yes, it's slightly weird that
"non-commercial" organizations are "engaged in commerce" for trademark
purposes.  But individuals (e.g. families) are not.  That's our legal
system.)

I haven't gotten any traction on individual rights issues here -- but
those aren't in
scope of the current note.

> If my domain host did not have a service to add that layer of anonymity to
> domain contacts, I would be uncomfortable using them as my host and would
> look for one that did offer such service.  And if I couldn't find one,
> then
> I'd be uncomfortable maintaining my own domain -- if I really felt the
> need
> to continue operating my own domain, then I'd be forced to consider
> spending resources to formally incorporate some entity to act as the
> domain
> owner, and to establish separate contact information for that entity that
> does not identify me as an individual.  This creates higher barriers to
> entry for domain ownership (or else a tradeoff of the cost of lack of
> personal privacy).
>
Many domain hosts (including registrars and 3rd party DNS services)
offer privacy
proxy services - some for free, some at additional cost.  There are also
3rd-pary
privacy proxy services.

The important thing is that a responsive contact be listed for each
classification,
and that the contact data is maintained in usable form.  That is, an e-mail
address needs to be able to be plugged into a notification script (not
mangled
or sent thru a 'human detector').  A physical address can be a post
office box,
a proxy service, or an attorney - but it needs to be something that if
printed
on an address label, is deliverable.  (Graveyards, vacant lots, 'Santa
Claus, North
pole', unrelated parties do not qualify..., nor do phone numbers of
pornographic
pay services.  Yes, all of the above have been used in the name of
'privacy'.)

Note that the example given was one where the desire was to detect issues in
the top 1M domains (which, allowing for common servers, still would mean at
least thousands of servers.  And if only 10% had the issue, hundreds of
notifications.)  The institution behind this is quite capable of looking at
even larger scales. 

Also note that such mass notifications are not "Spam"; by listing a
technical
contact, notifications of technical issues to that contact is solicited.

> If one promotes the idea of widespread individual ownership of domains
> (distribution of power, basically -- this is about pushing back against
> centralization of authority), then systematic privacy protection for
> citizen-level owners needs to be in place, and that protection need not be
> pierced when technical domain operations are contracted to a third party.
>
> (FYI, I am personally not technically qualified to parse and respond
> to the
> example you present below.  Even though I own my domain, the domain
> host is
> the only entity in position to respond to this, and that is part of what I
> have contracted them to do.  Their technical operations are almost
> completely opaque to me.  So *I* should not be listed as the domain
> technical contact -- I would just slow down the resolution of such issues
> if I were in the loop.)
>
I did not intend for this audience to evaluate the example's technical
merits.
I would not have posted a meritless example.  (In case it isn't clear,
I'm quoting
the example from another list; I'm not behind it.)

Again, that's why there are multiple contacts in WhoIS. 

> Finding the proper balance here is precisely what this ongoing debate is
> all about.
>
Yes.  I just thought it was time to provide a concrete example of the
case for
functional WhoIs.  That 'side' of the debate is underrepresented in this
group...


Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 


> Best,
> Dan
>
>
> --
> Any opinions expressed in this message are those of the author alone
> and do
> not necessarily reflect any position of the author's employer.
>
>
>
> At 2:49 PM -0400 8/9/14, Timothe Litt wrote:
> </pre><blockquote type=cite><pre wrap>
> There is a recurring theme in discussions here that WHOIS data/accuracy
> is a matter of privacy; that somehow the technical need is imaginary, or
> obsolete because most registrants don't actually operate DNS servers.
> The fact is that someone operates the servers, and the technical contact
> needs to reflect that.
>
> Here is a recent (today) example of a (frustrated) senior engineer
> attempting to get malfunctioning DNS server operators to address issues
> that are causing considerable grief.
>
> </pre><blockquote type=cite><pre wrap>
> I just logged fault reports with the technical contact for every
> tld that has a server that responds incorrectly to EDNS(1) queries
> if they handle EDNS(0) queries. BADVERS should be the result if
> they the support EDNS as EDNS(1) is not yet defined.
>
>     dig +edns=1 zone @host
>
> I've had one contact acknowledge the report and say they have logged
> a report upstream.  This doesn't mean that the others won't be acted
> on.
>
> If we had consistent whois formats I would do the same for the Alexa
> top 1M.
> For the tld's I only had to deal with one whois output.
>
> The next round will be for those that don't correctly handle unknown
> EDNS options.  Unknown options should be ignored.
> </pre></blockquote><pre wrap>
>
> Although I'm on record as believing that privacy needs to be protected
> (and I hate the SPAM that comes to addresses that are ONLY used in my
> WhoIS data), and that privacy proxies are fine; I'm also on record that
> whois contacts need to be responsive - whether directly or thru proxies.
>
> Note that in this example, only one **TLD** responded in a timely
> fashion; whois is in such sad shape that the engineer didn't even try to
> contact the next million domains... Which also gives you some idea of
> the scale of technical issues these daze.
>
> (EDNS queries are queries that include OPT records, which provide DNS
> extensions; at the moment, most notably allowing message sizes greater
> than 512 Bytes, extended flags and response codes.  These are essential
> for DNSSEC deployment.  There are active proposals for other uses.)
>
> I'm not discounting the need for accurate and timely administrative and
> registrant contact information - I just thought I'd share a current,
> live example.
>
> --
> Timothe Litt
> ACM Distinguished Engineer
> --------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
>
>
>
> Content-Type: application/pkcs7-signature; name="smime.p7s"
> Content-Disposition: attachment; filename="smime.p7s"
> Content-Description: S/MIME Cryptographic Signature
>
> Attachment converted: Macintosh HD:smime 77.p7s (    /    ) (008177D4)
> </pre></body>
> </html>
> </html>




ATOM RSS1 RSS2