Oki all,
Delivery of RC mail to me is fairly desultory. Apparently there is an
earlier thread. Post-Rome the very purpose of the RC seems to me to be
doubtful (advocacy for registrars other than NetSol+4), and post-Elana
the process of the RC left me disinterested.
I'm particularly enamored by Ross' notion of what is going on on NANOG.
Cheers,
Eric
------- Forwarded Message
Return-Path: owner-registrars@gnso.icann.org
Delivery-Date: Sun Jan 16 11:14:04 2005
Return-Path: <owner-registrars@gnso.icann.org>
Received: from greenriver.icann.org (greenriver.icann.org [192.0.35.121])
by nic-naa.net (8.13.1/8.13.1) with ESMTP id j0GBDxgx036293
for <brunner@nic-naa.net>; Sun, 16 Jan 2005 11:14:04 GMT
(envelope-from owner-registrars@gnso.icann.org)
Received: from greenriver.icann.org (greenriver [127.0.0.1])
by greenriver.icann.org (8.12.11/8.12.11) with ESMTP id j0GEx1Qg006202;
Sun, 16 Jan 2005 06:59:01 -0800
Received: (from majordomo@localhost)
by greenriver.icann.org (8.12.11/8.12.11/Submit) id j0GEx0hJ006201;
Sun, 16 Jan 2005 06:59:01 -0800
X-Authentication-Warning: greenriver.icann.org: majordomo set sender to owner-registrars@gnso.icann.org using -f
Received: from pechora.icann.org (pechora.icann.org [192.0.34.35])
by greenriver.icann.org (8.12.11/8.12.11) with ESMTP id j0GEwxrw006198
for <registrars@greenriver.icann.org>; Sun, 16 Jan 2005 06:59:00 -0800
Received: from tomts16-srv.bellnexxia.net (tomts16-srv.bellnexxia.net [209.226.175.4])
by pechora.icann.org (8.11.6/8.11.6) with ESMTP id j0GEwBA16293
for <registrars@dnso.org>; Sun, 16 Jan 2005 06:58:11 -0800
Received: from [192.168.2.101] ([67.71.54.206])
by tomts16-srv.bellnexxia.net
(InterMail vM.5.01.06.10 201-253-122-130-110-20040306) with ESMTP
id <20050116145857.SKGA1836.tomts16-srv.bellnexxia.net@[192.168.2.101]>;
Sun, 16 Jan 2005 09:58:57 -0500
Message-ID: <41EA80BF.7020608@tucows.com>
Eric Brunner-Williams in Portland Maine wrote:
...
I'm particularly enamored by Ross' notion of what is going on on NANOG.
------- Forwarded Message
From: "Ross Wm. Rader" <ross@tucows.com>
I don't see what you are looking at - .net and .com point to the same place with no indication of anything awry...of course, I'm late to the game and the DNS probably tells a different story...
This fellow is pretty confused, as from here (Michigan via Merit) the
DNS has pointed to different places since yesterday.
Looks like this may be among the first high-profile unauthorized
transfer under the new transfer policy.
Looks like a bunch of guys on the NANOG list engaging in a lot of conjecture without the benefit of a lot of facts.
Ah yes, those pesky facts. Hard to get many facts without cooperation
of the offending parties, now isn't it?
All we have to go on are the actual DNS and whois responses returned
on the 'net. Facts enough for most of us. Maybe the only facts that
matter operationally, as a matter of fact.
Since he somehow missed the fact that the DNS changed (what was *he* looking at), upon what did he base his opinion?
Maybe there needs to some sort of emergency reversion where at least the
nameservers can be rolled back immediately while the contesting parties
sort it out.
Might be interesting - what criteria would trigger the process?
Unauthorized change in the DNS asserted by any previous registrant.
A quick survey of some caching servers in my neighborhood reveals that
some of them return "old/correct" A RRs for panix.com at this time.
Following the DNS delegation chain from the root name servers provides
"new/hijacked" answers at this time. So I assume some operators of caching
servers now choose to provide data that is inconsistent with the
authoritative data in the DNS tree. So depending on where you ask, your
answer may vary.
Daniel
Is there anything that us folks out in the peanut gallery can
do to help, other than locally serving the panix.net zone
for panix.com?
Avoid being caught by an IPR lawyer while helping; 
Then organise operators to insert operational clue
into the various policy processes.
Daniel
>------- Forwarded Message
>
>From: "Ross Wm. Rader" <ross@tucows.com>
>
>
>I don't see what you are looking at - .net and .com point to the same
>place with no indication of anything awry...of course, I'm late to the
>game and the DNS probably tells a different story...
>
>
>
This fellow is pretty confused, as from here (Michigan via Merit) the
DNS has pointed to different places since yesterday.
A quick survey of some caching servers in my neighborhood reveals that
some of them return "old/correct" A RRs for panix.com at this time.
presumably they have cached ns records from before the switch in the
com tld zone.
Following the DNS delegation chain from the root name servers provides
"new/hijacked" answers at this time. So I assume some operators of caching
servers now choose to provide data that is inconsistent with the
authoritative data in the DNS tree. So depending on where you ask, your
answer may vary.
they're not choosing to do so, they're probably operating ~normally.
try asking them for the ns records for panix.com. the age should give
you an idea of how long ago they were fetched from *.gtld-servers.net.
they probably got them before the switch, they'll time out soon
enough, and then they'll restart from the "wrong" servers.
actually this is amazingly helpful. in fact
encouraging more ISPs to do the same thing is, IMHO,
the best way to route around hierarchical problems
like this.
imagine . . . "The Association of Trustworthy ISPs"
these ISPs watch out for each other. in the case of a
member's domain being hijacked all other members serve
the correct zone info. this provides for a
decentralized solution to the problem. this
association only admits members based on strict
criterion and drops members immediately upon discovery
of unethical behavior. as more ISPs join the
association end users will look for the association's
seal of approval when shopping for an ISP.
peace
Andrew Brown wrote:
------- Forwarded Message
From: "Ross Wm. Rader" <ross@tucows.com>
I don't see what you are looking at - .net and .com point to the same place with no indication of anything awry...of course, I'm late to the game and the DNS probably tells a different story...
This fellow is pretty confused, as from here (Michigan via Merit) the
DNS has pointed to different places since yesterday.
A quick survey of some caching servers in my neighborhood reveals that
some of them return "old/correct" A RRs for panix.com at this time.
presumably they have cached ns records from before the switch in the
com tld zone.
Thus justifying those who load their NS and corresponding NS's A records with nice long TTL
At least those whose caches' your still in will still talk to you after your registrar screws you.
(OT
Limiting named cache size could have an adverse effect for people hoping to cash into this inusurance. Shouldnt cache limiting kill low priority records such as A's which do not correspond to cached NS first....
)
Although this wasn't a problem in this case (hijacker did not appear to
have been interested in controlling dns since it points to default domain
registration and under construction page), but long TTL trick could be
used by hijackers - i.e. he gets some very popular domain, changes dns to
the one he controls and purposely sets long TTL. Now even if registrars
are able to act quickly and change registration back, those who cached new
dns data would keep it for quite long in their cache.
P.S. Just in case I chose not to send this info until panix.com had been
restored, but we really do need to deal with how it occurred in the first
place - even short term damage is bad so we need to have policies at ICANN
that do no allow unauthorized transfers or else all domains can be "LOCKED"
by default by registrars which effectively does the same.