2Day Chief Enthusiast wrote: |> |> >I haven't yet got the draft minutes but my recollection of the |> >ISOCNZ Council meeting on Friday is that the consensus was to |> > do exactly that |> >- for reasons of both privacy act considerations and anti-spamming. |> |> Yet another example of ISOCNZ making decisions without consulting |> industry. Extremely bad form. | | I'd say that ISOCNZ did consult industry and are in the process of doing | so. Some weeks ago the ISOCNZ technical committee, John Vorstermans, | Mark Davies and Roger De Salis talked to Joe Abley and myself. If they | didn't talk with Peter that doesn't mean they didn't talk with industry. ===================================================================== Exactly 10 days ago, I did send out an email to the ISOCNZ council, plus Andy and Joe, with proposal to possibly restrict zone transfers. The sequence was:- 1/ Put an inital proposal to the council plus others to ensure that the technical proposal was sound, and find out if there were i) raving objections, ii) muted dissent iii) muted assent iv) other. 2/ Post the corrected proposal to the NOG for comment. 3/ Assemble and Post feedback to the NOG, and come to a acceptable consensus. Unfortunately real work interfered with this timetable. This email represents step 2. The proposal was informally discussed at the last council meeting, which I was not able to fully attend. Here is the proposal in full, as it was sent out earlier. I remind interested parties that this is a PROPOSAL. Thoughtful comment, dissent and wisely worded counter propoosals will all be thoroughly considered. Here is the proposal as originally sent out. ======================================================================== PROPOSAL:- The caretaker of the registry has been concerned for sometime about the ability to do a complete download of the zone files, and then trawl them for useful information. Typically why people do this is to keep score, and we have no evidence that people have used this information for malicious purposes thus far. But the information does contain personal information, which it must do to permit network operators to rightfully go about their business, and brilliant efforts to keep the internet running. It also potentially offers plenty of SPAM potential. If whole downloads were restricted, but reasonable queries of a moderate length we allowed, and a working who-is was on line, and there was an ability to run reasonable global queries (eg no of domains by provider etc etc), is a restriction on possible global downloads reasonable. A positive suggestion here is that global downloads continue to be permitted, but the receiver must authenticate themselves, so reasonable use can be estimated. A parallel example is Cisco's shipping database. You have query access (via login) to any information, but you need a valid number to be able to extract the single event. There is no way to get the whole of shipping details at that second. But in theory it is all there. The proposal is therefore to propose some minor technical changes with an eye on the Privacy requirements, but ensure that sufficiently useful access and information exists to permit the nog to do their job. I would be most interested to collect opinions about positive technical suggestions, leave it the way it is, or make these suggested changes. Rgds Roger De Salis ====================================================== Joe's comments came back as:- (and appear to me to be eminently reasonable. I hope he will not mind me re-publishing.) For the record, it's only ns99 and rata that currently permit zone transfers; none of the others do. A good compromise might be to restrict zone transfers from ns99 to "all authoritative servers plus authorised hosts" to allow people like Peter to continue to pull the data, without having to mess about with ftp. Domainz could authorise hosts as they saw fit (I would expect the authorisation policy to be fairly non-restrictive). The driver for doing this, remember, is to prevent the unscrupulous walking the DNS, enumerating domain names for the purposes of evil spam; it's not to stop record harvesting for the purposes of generating statistics. This is just for ns99 -- I would expect other authoritative servers to deny transfers from _anybody_. Maintaining a current transfer access list on every secondary is unnecessary. Being overly restrictive on this issue could be problematic anyway; for example CLEAR and Xtra have access to the zone files since they operate authoritative nameservers for the benefit of the community. It would be bizarre if other providers were denied access to the same information simply because they're small (or focused on niche services). Joe ================================================================ -- \_ Roger De Salis Cisco Systems NZ Ltd ' +64 25 481 452 L3, 117 Customhouse Qy /) +64 4 473 4912 Wellington, New Zealand (/ roger(a)desalis.gen.nz rdesalis(a)cisco.com ` Never underestimate the data transmission capacity (Mb/s) of a station wagon full of the backup tapes.