Hi Adam, --- Adam Eisner <[EMAIL PROTECTED]> wrote: > This is definitely an issue we're actively involved in. It's a > dangerous precedent, and I think that sentiment was largely shared > among registrars at the Registrars Constituency meeting during the > recent ICANN conference (Afilias came in to make a presentation on > this new policy). We'll be working closely with the Constituency to > address this issue.
That's good to hear. I've brought it up in the Business Constituency, and have also posted about it at: http://forum.icann.org/lists/registryservice/ with a couple of posts that I just made (that should show up in the next few hours, given ICANN's slow confirmation system). Some resellers who might be in the ISP constituency of ICANN: http://gnso.icann.org/internet-service-and-connection-providers/ might want to bring it up there too, as it would also override the abuse departments of ISPs/webhosts (and might want to consider joining that constituency, if they want to get more involved in ICANN, or one of the other constituencies). In my latest review of the relevant ICANN contracts, it's *possible* that Afilias is barred from presenting this as a "New Service" and instead might be compelled to propose a Consensus Policy instead. Through a Consensus Policy we can ensure that the rights of registrants to due process will be protected through input from all constituencies, and ensure that a policy that has proportionality and predictability is created. According to paragraph 3.1.(d)(iii) of the .info agreement: http://www.icann.org/tlds/agreements/info/registry-agmt-08dec06.htm "(c) any other products or services that only a registry operator is capable of providing, by reason of its designation as the registry operator; Obviously the registrar is currently *equally* capable of cancelling or removing a domain name from the zone file, and handling abuse issues. So *by definition* this can't be a product or service that only the registry operator is capable of providing. Furthermore, 3.1.(d)(iv)(G) provides specific definitions of "Security" and "Stability" that I do not believe are met by this proposal. Note also that paragraph 3.1.(b)(iv)(F) of the agreement dealing with Consensus Policies specifically mentions: "(F)resolution of disputes regarding whether particular parties may register or maintain registration of particular domain names." An allegation of abuse, affecting whether a particular party may maintain a registration of a domain name, clearly falls under that description above. The last section of 3.6.5 of the appendix (i.e. registry-registrar agreement) says: http://www.icann.org/tlds/agreements/info/appendix-08-08dec06.htm "Afilias also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute." I would suggest that again an allegation of "abuse" is equivalent to a "dispute" in the above language, and that does not permit cancellation, but only registry lock, hold or similar status. 3.6.5 puts law enforcement and government (and courts) above the registry operator. This new proposal makes the registry operator become the policeman, the prosecution, judge, jury and executioner. In all this thinking about "abuse", I came up with an idea that might help Afilias and others refine their proposals. Suppose abuse does originate on a domain name, ExampleUniversity.com, with thousands of hosts (e.g. departments each have hosts like geography.exampleuniversity.com, mba.exampleuniversity.com, undergrad.exampleuniversity.com, engineering.exampleuniversity.com) and nameservers of ns1.exampleuniversity.com and ns2.exampleuniversity.com. Suppose hacking tools are found at: http://hackers.exampleuniversity.com/hiddendirectory/ Under Afilias' proposed policy, they'd be shutting down the entire domain name (or cancelling the domain) affecting 50,000+ students. Here's another option.They can replace, in the zone file, thenameservers ns1.exampleuniversity.com and ns2.exampleuniversity.com with special nameservers ns1.afiliasabuse.com and ns2.afiliasabuse.com. These special nameservers would answer on behalf of the true nameservers. e.g. if someone was looking for www.exampleuniversity.com, which was not hacked, they would return the appropriate A record (e.g. 123.45.67.89) by looking it up against the ns1.exampleuniversity.com and ns2.exampleuniversity.com nameservers. However, if someone asked for the IP of hackers.exampleuniversity.com (the subdomain that had the abuse), they could then return NXDOMAIN (i.e. doesn't exist) or forward it to some error page. If someone was looking for the MX records, for email, which was unrelated to the abuse incident, the registry operator could continue to reply with the true MX records (in the background obtaining them from ns1.exampleuniversity.com and ns2.exampleuniversity.com). Doing this buys more time to reach the relevant person at the university to remove the hacker tools, and also minimizes collateral damage, by maintaining to the maximum extent possible the innocent services (like email). It's a surgical tool and a proportionate response, instead of a giant blunt hammer. So for example, if http://status.tucows.com got hacked, instead of deleting the entire domain name or removing it from the zone file, they would alter the some of the responses. Instead of a request for "status.tucows.com" returning a CNAME of status2.tucows.com, and ultimately an A record of 64.97.131.49 as it does now, they could return instead NXDOMAIN (i.e. block it entirely) or instead redirect it to another site, like www.registryabuse.com to tell people what happened,and let you know what to do). All other hostnames like www.tucows.com would be mirrored. Furthermore, your email MX records would be mirrored by the registry, i.e. they would still be: mx.tucows.com.cust.hostedemail.com. and so your email would continue to function. Registrars and ISPs/webhosts are capable of doing this too. Indeed, registrars/ISPs/webhosts might be in superior positions to know the interrelationships and interdependencies of a domain name, thereby reducing the chances of causing a cascade of failures to many other services, individuals and companies, as Simon had implied in a prior email in this thread (where a domain was being used as a nameserver for thousands of other sites, in his example). I believe this proposal was partly motivated by some Mickey Mouse registrars not responding in a timely manner to abuse, and certainly Tucows is one of the best registrars in that regard. Perhaps Afilias should be trying instead to crack down on bad registrars, or raise the bar to accreditation (and indeed, go after some of the surety bonds of registrars who fail their obligations). Customers of good registrars, who have no direct contractual relationship with the registries at all, shouldn't be punished due to those bad registrars. I imagine registry operators would never want to give registrants direct contractual rights/responsibilities either, lest the registries be found liable when they inevitably drop the ball and cause damage to innocent registrants. Sincerely, George Kirikos http://www.kirikos.com/ _______________________________________________ domains-gen mailing list [email protected] http://discuss.tucows.com/mailman/listinfo/domains-gen
