Draft WHOIS and Zone Transfer Policies
Greetings. The ISOCNZ Technical Committee has prepared two draft policies. 1. Directing Domainz to implement a WHOIS server. http://www.isocnz.org.nz/whoisdraft1099.html 2. A policy on Zone Transfers. http://www.isocnz.org.nz/zfdraft1099.html I hope to be able to ask the council to vote on these next week. Any comments or submissions to these draft proposals would of course be most welcome. If you wish to make a submission please email to john(a)actrix.co.nz These drafts have also been sent to the ISOCNZ members mailing list for comment. Regards John -- John Vorstermans || We are what we repeatedly do. Technical Manager || - Aristotle Actrix Networks --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
2. A policy on Zone Transfers.
Whats driving this policy? Have there been any reported events where zone transfers have caused performance problems for ns99.waikato.ac.nz or the network it is connected to? Has there been any event where data obtained by way of zone transfer has been used unlawfully? Has any ISP or DNS administrator requested ISOCNZ consider or implement such a policy? Has ISOCNZ been requested by Domainz to consider implementing such a policy? Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED -/- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Peter Mott writes:
2. A policy on Zone Transfers. Whats driving this policy?
At least partly a desire to move the operation of the .nz name service toward the standards set out by RFC 2010 (Operational Criteria for Root Name Servers), which says, among other things: 2.10. Zone transfer access control. The name server shall be configured so that outbound zone transfers are permitted only to destinations on the server's local networks, and to whichever networks the zone master designates for remote debugging purposes. Rationale: Zone transfers can present a significant load on a name server, especially if several transfers are started simultaneously against the same server. There is no operational reason to allow anyone outside the name server's and zone's administrators to transfer the entire zone. There's also the ugly question of privacy; while individual queries pose no privacy or commercial sensitivity issues (after all, the NS records wouldn't be there if they weren't intended to be used), a complete zone download gives you a lot more information than is required to resolve names to IP addresses. For example, one can get a fairly exhaustive list of DNS names and group them by service provider The policies in development for official .nz nameservers do take into account (a) the fact that the .nz servers aren't hit *quite* as hard as the root servers, and (b) that a hard and fast policy of no zone transfers is not required as long as the exceptions are reasonable and controlled. I think it's reasonable for Internet users to expect that data provided for the sole purpose of permitting other users to access their web pages or send them email is used for that purpose, and not for making them targets of unsolicited marketing material or cold-calling salespeople. Don't you? -- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
I think it's reasonable for Internet users to expect that data provided for the sole purpose of permitting other users to access their web pages or send them email is used for that purpose, and not for making them targets of unsolicited marketing material or cold-calling salespeople. Don't you?
I do not support the use of information for unlawful or unethical purposes. But thats not the issue I raise. Why create a policy and therefore an administrative structure to police it when nobody has identified either a technical or privacy problem with the present policy or having ns99.waikato.ac.nz allow zone transfers to any host on the Internet. Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED -/- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sat, Oct 16, 1999 at 11:52:24AM +1300, Peter Mott wrote:
I think it's reasonable for Internet users to expect that data provided for the sole purpose of permitting other users to access their web pages or send them email is used for that purpose, and not for making them targets of unsolicited marketing material or cold-calling salespeople. Don't you?
I do not support the use of information for unlawful or unethical purposes. But thats not the issue I raise.
Why create a policy and therefore an administrative structure to police it when nobody has identified either a technical or privacy problem with the present policy or having ns99.waikato.ac.nz allow zone transfers to any host on the Internet.
Indeed. As Don points out, the load on the .nz nameservers is substantially lower than those on the root nameservers. On the face of it, at least, this looks like a solution looking for a problem. Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Indeed. As Don points out, the load on the .nz nameservers is substantially lower than those on the root nameservers.
On the face of it, at least, this looks like a solution looking for a problem.
It also gives weight to the possibility that the real purpose behind the policy is something not yet disclosed. Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED -/- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Peter Mott writes:
Why create a policy and therefore an administrative structure to police it when nobody has identified either a technical or privacy problem with the present policy or having ns99.waikato.ac.nz allow zone transfers to any host on the Internet.
On the contrary, RFC 2010, as a fairly clear statement of best practice for top level nameservers (ccTLD issues differing from root nameservers only in the numbers), does raise a technical issue -- it states that their is a *potential* problem with load from zone transfers, just like it states that there are potential security problems with certain other configurations. Why does one need to wait for trouble to strike before taking action to avert it?
It also gives weight to the possibility that the real purpose behind the policy is something not yet disclosed.
Only that the full policies for DNS secondary servers have not yet been fully developed -- they'll be based around RFC 2010 and any subsequent, relevant issues that have been raised by operators of top level servers. Are you saying .nz shouldn't be operating to industry best practices? -- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Why does one need to wait for trouble to strike before taking action to avert it?
Because you have not presented any evidence to suggest there is any tangible risk, and perhaps more importantly there is a cost associated with the action you propose A cost which will be worn by industry, and utimately by registrants who have to pay for running ISOCNZ. How about a policy that says "if it aint broke - dont create policy to fix it"? All this gives weight to the argument that the .nz ccTLD would be better administered by an entity focused on the needs of industry, rather than a club like ISOCNZ which has become a front for a company with desires none of us know anything about. Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED -/- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Peter Mott wrote:
I think it's reasonable for Internet users to expect that data provided for the sole purpose of permitting other users to access their web pages or send them email is used for that purpose, and not for making them targets of unsolicited marketing material or cold-calling salespeople. Don't you?
I do not support the use of information for unlawful or unethical purposes. But thats not the issue I raise.
Why create a policy and therefore an administrative structure to police it when nobody has identified either a technical or privacy problem with the present policy or having ns99.waikato.ac.nz allow zone transfers to any host on the Internet.
Eventually (likely sometime in 2000) ns99.waikato.ac.nz won't be there any more, principally due to Waikato finally getting out of the DNS business completely, and passing the baton to Domainz. Most of us thinking about this stuff did not have much to do with how Waikato was set up and run, and all the players who made these decisions have now moved on. John Houlker to Telecom International, Arron Scott to Netgate, Rex off to Adelaide etc etc. Unrestricted zone transfers COULD be a problem because... SPAM is a concern. Transfer of zone information offshore is another. On-Sale of zone information offshore is another. Use of information for direct marketing purposes is another.. There are several organisations we are aware of that don't run authoritative secondaries, but do do zone transfers, so what do they use the information for? An example would be providing a "name availability tool" as part of a registry business. This seems a reasonable use and we would hardly wish to discourage it. Russell Street's example of Auckland Uni providing an internal secondary, thus providing faster lookup within the Uni WAN, and preserving precious external bandwidth, is an example we'd like to promote and support. If you don't agree with any restrictions on zone transfers at all, and want the current situation to continue, now is the time to speak. Rgds Roger De Salis
Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED -/-
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
-- \_ Roger De Salis Cisco Systems NZ Ltd
If you don't agree with any restrictions on zone transfers at all, and want the current situation to continue, now is the time to speak.
Dont agree with a policy to restrict zone transfers when no tangible risk has been identified and there is a cost associated with policy administration. We would prefer that the restriction of zone transfers be a technical decision on the part of the administrator for the .nz master name server. BIND 8.2.x has extensive options to tune performance by restricting number of concurrent transfers, and if required, prevent them from particular hosts or networks if an abuse problem arises. All ISP's and domain admins who agree with this approach, please wave your hand now :-) Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED -/- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sat, 16 Oct 1999, Peter Mott wrote:
All ISP's and domain admins who agree with this approach, please wave your hand now :-)
There is no need to allow zonefile transfers out of the master servers except to designated secondaries and a large number of good reasons to deny AXFRs by default - commercial, security and load related. Sorry, I don't buy the arguements about secondarying the entire *.nz space into servers which aren't designated secondaries - it just causes lame server logfile entries and probably results in higher bandwodth consumption than just letting normal DNS NS caching algorithms do their thing - which they do quite efficiently. AB --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sat, Oct 16, 1999 at 06:36:42PM +1300, Alan Brown wrote:
On Sat, 16 Oct 1999, Peter Mott wrote:
All ISP's and domain admins who agree with this approach, please wave your hand now :-)
There is no need to allow zonefile transfers out of the master servers except to designated secondaries and a large number of good reasons to deny AXFRs by default - commercial, security and load related.
Sorry, I don't buy the arguements about secondarying the entire *.nz space into servers which aren't designated secondaries - it just causes lame server logfile entries and probably results in higher bandwodth consumption than just letting normal DNS NS caching algorithms do their thing - which they do quite efficiently.
Lame servers are logged when a zone has an NS record pointing at a nameserver which is not authoritative for the zone. In this case, there are no NS records pointing to the nameservers which carry the slave zones. Why would lame server warnings result? Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, 17 Oct 1999, Joe Abley wrote:
Lame servers are logged when a zone has an NS record pointing at a nameserver which is not authoritative for the zone.
In this case, there are no NS records pointing to the nameservers which carry the slave zones. Why would lame server warnings result?
If you're downstream of a lame server, you're likley to get the warning. AB --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sun, Oct 17, 1999 at 01:47:50AM +1300, Alan Brown wrote:
On Sun, 17 Oct 1999, Joe Abley wrote:
Lame servers are logged when a zone has an NS record pointing at a nameserver which is not authoritative for the zone.
In this case, there are no NS records pointing to the nameservers which carry the slave zones. Why would lame server warnings result?
If you're downstream of a lame server, you're likley to get the warning.
I can't think of a scenario where this would be true. If this is something you have seen, can you describe the setup in more detail? What exactly do you mean by "downstream of a lame server"? Lame delegations result when a zone contains an NS record to a nameserver which, when queried, turns out not to be authoritative. In this case there are _no_ NS records pointing at the nameserver which is performing the zone transfer. If there were, there is still a good chance that no lame delegation warnings would result, since the nameserver _would_ have authoritative data. [isocnz-l removed from cc: list] Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sat, 16 Oct 1999, Roger De Salis wrote:
If you don't agree with any restrictions on zone transfers at all, and want the current situation to continue, now is the time to speak.
2 cents from an ex-pat Kiwi: The Internet doesn't run exclusively on good intentions. Real dollars are required to make it work. People have an expectation when they pay real money that they're getting something worthwhile, and they also have a reasonable expectation that they can have it spelled out to them just where their money is going and what it is supporting. If I were paying Domainz to host a domain for me, I'd like to understand just what I were paying for and what would be done with "my" stuff. Given I would be paying for a professional service, I wouldn't be happy if "my" stuff's security rested on assumed good intentions at large. -- Josh Bailey (mailto:joshbailey(a)lucent.com) lucent->ins->software->alameda[CA] /* 1601 Harbor Bay Parkway, Alameda, CA 94502 (room 1601/1108C) voice: +1-510-747-3367 skytel: 1-800-skytel2/mailto:1198428(a)skytel.com */ --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 11:08 AM 16-10-99 +1300, Peter Mott wrote:
2. A policy on Zone Transfers.
Whats driving this policy
and
It also gives weight to the possibility that the real purpose behind the policy is something not yet disclosed.
The Zone Transfer policy has been in the making for some time now. It has also been openly discussed on the nznog list. This policy is largely the outcome of those discussion. Why are we proposing such policy? Well let me make it clear. As stewards of the DNS we have a responsibility, that is, to ensure that the information contained in the database is available for its stated purpose. We also have a responsibility to those who place information in the database, to ensure that such information is not abused as stated in the draft policy. Why are we making the draft available for public comment? To give members and those concerned a chance to make a submission to the proposed draft before it is fully considered by the ISOCNZ Council. Submissions are most welcome and can be e-mailed to myself at john(a)actrix.co.nz. Regards John -- John Vorstermans || We are what we repeatedly do. Technical Manager || - Aristotle Actrix Networks --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sat, Oct 16, 1999 at 02:44:35PM +1300, John Vorstermans wrote:
At 11:08 AM 16-10-99 +1300, Peter Mott wrote:
2. A policy on Zone Transfers.
Whats driving this policy
and
It also gives weight to the possibility that the real purpose behind the policy is something not yet disclosed.
The Zone Transfer policy has been in the making for some time now. It has also been openly discussed on the nznog list. This policy is largely the outcome of those discussion.
As far as I can remember, the discussions on the nznog list could be summarised as: o there were legitimate business reasons for being able to do zone transfers; o there were legitimate operational reasons too; o nobody could come up with a good reason to restrict access, but o there were still people eager to restrict it on a matter of principle. In fact, it sounds remarkably like this discussion, so far.
Why are we making the draft available for public comment? To give members and those concerned a chance to make a submission to the proposed draft before it is fully considered by the ISOCNZ Council. Submissions are most welcome and can be e-mailed to myself at john(a)actrix.co.nz.
How will submissions be considered? At the end of the day, is this a decision that will be made according to direct public feedback, or according to the isocnz councellor's interpretation of the feedback they privately receive? Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 03:36 PM 16-10-99 +1300, Joe Abley wrote:
How will submissions be considered?
All the councilors are able to read the comments made on these mailing lists Joe. That will, I am sure have some influence on the way councilors see the issue. Secondly as Chair of the Technical Committee I will be taking the points brought up to the Technical committee next week to discuss further which will result quite probably in a final draft to go before the council. In general the Technical Committee sticks to what is called forth from the RFC and both these polices reflect that. The privacy issues from both these policies are a reflection of what is happening Internationally. Cheers John -- John Vorstermans || We are what we repeatedly do. Technical Manager || - Aristotle Actrix Networks --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Sat, 16 Oct 1999 15:36:08 +1300, Joe Abley wrote:
How will submissions be considered? At the end of the day, is this a decision that will be made according to direct public feedback, or according to the isocnz councellor's interpretation of the feedback they privately receive?
All Crs are on isocnz-members and a fair proportion are on nznog so we should be able to see the discussion first hand. DPF ________________________________________________________________________ <david at farrar dot com> NZ Usenet FAQs - http://www.dpf.ac.nz/usenet/nz ICQ 29964527 --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Before we run around in circles... There are currently two servers for WHOIS in NZ that are not run by ISOCNZ. There is also a service where you can search for domains in NZ using wildcards in the search string. So why not contact the people who run them to find out 1. the demand for it (well I know I use the Whois often) 2. what they provide. Perhaps use those services as the basis or minimum that ISOCNZ should provide and improve from there. Whatever you do, please do not shut down these services. I find them invaluable 8) regards Lin --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
There are currently two servers for WHOIS in NZ that are not run by ISOCNZ.
You probably dont know about ours. We also run one at whois.2day.com It it provided for the purpose of finding the registrant and registrar of a particular domain name. Currently it supports:- .com .net .org .nz .com.au .co.uk Any feedback regarding its usefulness would be appreciated. Peter Mott Chief Enthusiast 2DAY INTERNET LIMITED -/- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
2. A policy on Zone Transfers.
I found this sentence ambiguous: 3. It is for the purpose of running a private Name Server, and under the condition that the data will under no circumstances be used to allow, enable or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam) or simply for the gathering of statistical analysis. Perhaps it could be reworded to make it clear that zone transfers for statistical analysis is permitted. It could be read that statistics are in the same class as spam. Russell --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (10)
-
Alan Brown -
david@farrar.com -
Don Stokes -
Joe Abley -
John Vorstermans -
Josh Bailey -
Lin Nah -
Peter Mott -
Roger De Salis -
Russell Street