North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: lame delegations

  • From: Joshua Goodall
  • Date: Fri Aug 18 14:52:33 2000

(cross-cc'd to the RIPE LIR working group list for potential
interest/comment)

I suspect that solving this correctly would depend on the ICANN DNSO
recognising the authentication mechanisms of the databases of the RIR's
under the ICANN ASO (RIPE, ARIN, APNIC).

Unfortunately, no-one thought of this problem when they let registrars
inject host records. The only way to verify automatically that a host
record is allowed from a given netblock is to use the same authentication
mechanisms that (say) RIPE do for reverse delegations.

I doubt that the RIR databases would take the strain of continuous lookups
in that fashion. Futhermore, the RIPE database only defines password and
PGP access controls for the LIR allocated space, not the assigned space
used by nameserver operators. (no need to speculate upon the hazards of
mail-from authentication).

One possible solution, probably even manageable is that the DNSO/NSI
Registry accepts host updates (or even just withdrawals) from an automated
RIR system that can be triggered by correctly authenticated LIR
maintainers, in the way that in-addr mappings already are. This satisfies
the point-of-control requirements, and could probably be implemented
without a change to the existing RRP.

I don't know whether the situation arises often enough to motivate such a
solution, but I would bet a (small) amount of money on some scriptkiddie
reading this thread and trying it out for their dubious kicks.

(you may guess correctly that I'm more familiar with RIPE systems than
ARIN/APNIC :))

-[ Joshua Goodall ]-----------------------------------------------
-[ IP Systems Architect ]---------------- Cook, Geek, Lover ------
-[ [email protected] ]--------------- [email protected] --

On Fri, 18 Aug 2000, John O Comeau wrote:

> 
> Obviously I didn't make it clear what is the problem in my previous post.
> So far I got the following 2 replies:
> 
> "The NIC should allow for dummy [default] nameservers and allow the 
> technical contact of a nameserver to remove his or her nameservers from a 
> domain without requiring an administrative ack."
> 
> Yes, but we are not the technical nor the admin contact for these domains;
> we just provide the IPs. What I propose is that the tech or admin contact
> of the NETBLOCK has authority to delete the host registration by virtue of
> the IP being his.
> 
> "If the IP's are allocated to you, what's it matter where your old
> customer  still points their NS? Just remove the old customer from all of 
> your db's and reallocate your IP's elsewhere."
> 
> We've been doing precisely that, and that's where the problem comes in.
> The new customer cannot register his nameservers because the IP is already
> registered as a nameserver. Then he complains, we look like idiots, and we
> have to give him other IPs to use.
> 
> [email protected] aka John Otis Lene Comeau
> Home page: http://world.std.com/~jcomeau/
> Disclaimer: Don't risk anything of value based on free advice.
> "Anybody can do the difficult stuff. Call me when it's impossible."
> 
>