Hi, On Wed, 11 Sep 2024 06:53:28 -0700 (PDT) Claves Nostrum <[email protected]> wrote:
> IANA says the whois server for whois.nic.mobi > (https://www.iana.org/domains/root/db/mobi.html) > > whois cmd util uses whois.afilias.net as the whois server for .mobi > (https://github.com/rfc1036/whois/blob/dc588f10ee8135e17b3a1b6934583476bcb67bed/tld_serv_list#L64) Related PR: https://github.com/rfc1036/whois/pull/176 It appears there are more such problems: https://github.com/rfc1036/whois/issues/177 "whois2.afilias-grs.net (the server for two TLDs) no longer exists, the domain is owned by some kinda sketchy parking service" https://github.com/rfc1036/whois/issues/179 "Server for .bz is whois.afilias-grs.info associated with old 'Afilias' name, might need updating" This one looks particularly concerning, because it indicates the data on the IANA database is oudated/incorrect: https://github.com/rfc1036/whois/pull/178 It appears to me that this is an extremely problematic situation. Existing whois tools hardcode whois servers, and the data is updated manually. That could be "fixed" by requiring CAs to make sure they use updated data. But there's a larger question whether there even is a reliable "source of truth" for whois servers. Does IANA make any guarantees that the whois servers they advertise are operational, and under control of the respective TLD authority? IMHO if there is no satisfying answer to these questions, whois data should no longer be allowed as a domain validation mechanism. -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240912092107.1091b356.hanno%40hboeck.de.
