Below — John Bambenek
On July 1st, 2019, my DGA feeds are converting to a CC-BY-NC-SA 4.0 license which means commercial use will require a license. Contact [email protected] for details On Jul 8, 2019, at 20:01, Paul Wouters <[email protected]> wrote: > On Mon, 8 Jul 2019, John Bambenek wrote: > > An interresting idea, but .... > >> Domain contact information over DNS provides a vehicle for >> exchanging contact information in a programmatic and reliable >> manner. DNS has a ubiquitous presence within the internet >> infrastructure and will act as a reliable publication method for >> contact information exchange. > > It's not really reliable in the case of malicious DNS. The point for me > for using whois is hardly ever to find a domain contact, but to find > a way to step beyond the malicious registrant. WHOIS/RDAP lets me jump > to the Registrar. Reliable for what use case? Creating benevolent data artificially is hard. Whois/rdap WOULD let you jump to the registrar, but all the data will be redacted and odds are we won’t get access at all anyway. > > In the case where you would want to reach the domain for non-malicious > purposes, a contact form on their website or using the SOA record email > address would (and does) work fine. > If the website is owned, the contact form can’t be trusted. I know of no one who uses SOA for anything other than tracking and correlating domains. Odds are for the overwhelming majority of domains, SOA points to registrar or a non-existent or unmonitored mailbox. > Appendix A and the Copyright notice at the top conflict or repeat. Will fix. > > As for some technical points: > > - The WHOIS/RDAP can be rate limited, DNS queries can't. This is a feature, not a bug. > - WHOIS can be recorderd historically, for DNS queries this is much > harder to do - especially if domains use a TTL=0 as default that > also applies to these records. Whois CAN be recorded historically, but that data is inaccessible until DomainTools came along. In response, the registrars and registries (who consider Domaintools a criminal operation but oddly the criminals using their service they regard as clients) have used the smoke of GDPR to simply redact everything in whois. > - One cannot know where zone cuts are (public suffix problem), so > mis-redirection can happen Similar with whois today, no? > - Which is more secure/valuable, the topmost _whois entries or the lower > ones? eg _whois.toronto.nohats.ca or _whois.nohats.ca. Most specific, assuming you want toronto.nohats.ca as opposed to nohats.ca. But this is possible in DNS. It is not in whois. > > - Use example.com, not exampledomain.com (see RFC 2606) Ok will fix. > > - sub-types in TXT records > > You put everything under _whois.example.com but then use sub-typing > within the TXT record. Wouldn't it be better to use the prefix instead > of subtyping,eg: > > _name._admin._whois.example.com IN TXT "Dan Draper" > _tel._admin._whois.example.com IN TXT "+1-555-123-4567" > _name._billing._whois.example.com IN TXT "Peggy Olson" > _email._techical._whois.example.com IN TXT "[email protected]" > > This would avoid awkward references to "aname" (which might become an > RRTYPE) or "tname", etc. Valid feedback. Submitting an I-D was the starting point to finalize a standard. It can be done any number if ways, in theory. The point is to come up with some consensus that makes sense. > > - The use of "all" is also a bit awkward. > Recommendation? > > In the end, I feel this effort shares most of its issues with the > "security.txt" efforts of https://tools.ietf.org/html/draft-foudil-securitytxt > which I also thought was not a good idea. See the various discussions > on the saag list there for details on trustworthiness of information, > and the multiple locations of information problem, which are problems > present here as well. > > Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
