For domains with no NS records? Who cares, they aren’t in actual use. (Or if they are something is broken or more likely malicious so block it).
Yes, the onus is on domain owners (and that requires consensus and adoption which are not given but why its being brought up here). The registrars and registries don’t want it and won’t accept it (see other email). As to your last point, yes, whoever can modify DNS owns these records and if compromised means you can’t trust it in real time (but passive DNS helps solve this). Its distinct from a web server which means “most” of the time you have to compromise two separate systems. What is best is independent third-party verification but we don’t get that and we won’t. So, here we are. — John Bambenek On July 1st, 2019, my DGA feeds are converting to a CC-BY-NC-SA 4.0 license which means commercial use will require a license. Contact sa...@bambenekconsulting.com for details On Jul 8, 2019, at 16:52, Patrick Mevzek <mev...@uniregistry.com> wrote: > > > > >> On 2019-07-08 16:38 -0500, John Bambenek >> <jcb=40bambenekconsulting....@dmarc.ietf.org> wrote: >> In response to ICANN essentially removing most of the fields in WHOIS for >> domain records, Richard Porter and myself created a draft of an >> implementation putting these records into DNS TXT records. > > Not all registered domains are published (no NS records), so what about those? > > Also your proposal puts the onus of (valid) information publishing on the > registrant of each domain, no more on the registrar or the registry, because > _whois.example.com is under the control of example.com and not under control > of the registry under which example.com lives and neither its registrar as > the DNS provider may not be the registrar. > > So what did I not understand about who controls and where do the > _whois.example.com RRs exist? > > As for: > "This means that if a domain owner were compromised, > someone else has contact information to get in touch with the true > own to organize remediation." > It depends on how you define "domain owner were compromised". > This could as well mean "have access to registrar panel to configure this > domain" which in turns means "being able to put whatever nameservers, and > hence DNS records as one wishes". But you may be relying on the TTLs of old > records? > (a point not discussed I think; would long TTLs be good for those records?). > > Also, a similar idea was floated on the regext mailing list sometimes ago: > https://www.ietf.org/archive/id/draft-brown-whoami-02.txt > This was using well known URIs to publish whois data and the URI DNS RR. > -- > Patrick Mevzek > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
