Delegated strings: WHOIS & SLAs...
Looking at some of the recently delegated new gTLDs, i was very surprised to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ... Any information about this? Alex
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ? Rubens On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
Maybe the SLA only kicks in once there are actually delegated domains? Unless they're doing a Start-Date Sunrise (e.g. FCFS Sunrise), then there won't be anything in their WHOIS database until Sunrise ends. On Wed, Nov 20, 2013 at 9:01 AM, Rubens Kuhl <rubensk@nic.br> wrote:
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ?
Rubens
On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer < alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very
surprised to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
At least the "nic,rdds,whois,www" domains should be contained in the WHOIS straight from the beginning, although only the "nic" domain would be in the DNS. Alex Von: Seth Goldman [mailto:sethamin@google.com] Gesendet: Mittwoch, 20. November 2013 16:20 An: Rubens Kuhl Cc: Alexander Mayrhofer; gtld-tech@icann.org Betreff: Re: [gtld-tech] Delegated strings: WHOIS & SLAs... Maybe the SLA only kicks in once there are actually delegated domains? Unless they're doing a Start-Date Sunrise (e.g. FCFS Sunrise), then there won't be anything in their WHOIS database until Sunrise ends. On Wed, Nov 20, 2013 at 9:01 AM, Rubens Kuhl <rubensk@nic.br<mailto:rubensk@nic.br>> wrote: Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ? Rubens On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at<mailto:alexander.mayrhofer@nic.at>> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
I'm using whois.nic.<TLD> - and, yes, nic.<TLD> is properly delegated and reachable in that case, but "whois.nic.<tld>" returns an NXDOMAIN. My understanding is that ICANN requires the WHOIS service to be offered under that hostname... See the respective specification in the AGB.. Indeed, the IANA record shows a different server - so, do i understand correctly that you can actually submit to IANA a different WHOIS server than the one required by ICANN? Can anyone who's already delegated confirm this? Alex
-----Ursprüngliche Nachricht----- Von: Rubens Kuhl [mailto:rubensk@nic.br] Gesendet: Mittwoch, 20. November 2013 15:02 An: Alexander Mayrhofer Cc: gtld-tech@icann.org Betreff: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ?
Rubens
On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised
to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
Actually, as whois service is tested prior to delegation, you have to enter the zone with whois not in the TLD in the first place, and then using an IANA change request to move it. ICANN mentioned that the main requirement for standardised whois.nic.<TLD> is CA-related activities, so they will probably don’t mind not having whois.nic.<TLD> prior to the 120-days after contract signing where you cannot delegate anything besides nic.<TLD> Rubens On Nov 20, 2013, at 12:25 PM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
I'm using whois.nic.<TLD> - and, yes, nic.<TLD> is properly delegated and reachable in that case, but "whois.nic.<tld>" returns an NXDOMAIN. My understanding is that ICANN requires the WHOIS service to be offered under that hostname... See the respective specification in the AGB..
Indeed, the IANA record shows a different server - so, do i understand correctly that you can actually submit to IANA a different WHOIS server than the one required by ICANN? Can anyone who's already delegated confirm this?
Alex
-----Ursprüngliche Nachricht----- Von: Rubens Kuhl [mailto:rubensk@nic.br] Gesendet: Mittwoch, 20. November 2013 15:02 An: Alexander Mayrhofer Cc: gtld-tech@icann.org Betreff: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ?
Rubens
On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised
to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
FYI, Spec 4: "Registration Data Directory Services. Until ICANN requires a different protocol, Registry Operator will operate a WHOIS service available via port 43 in accordance with RFC 3912, and a web-based Directory Service at <whois.nic.TLD> providing free public query-based access to at least the following elements in the following format." So web-based MUST be at nic.tld. But oddly, I dont see that whois.nic.tld was required for port 43 service. One would think that if a TLD has a name in the zone, then WHOIS service would be available. All best, --Greg -----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Rubens Kuhl Sent: Wednesday, November 20, 2013 10:29 AM To: Alexander Mayrhofer Cc: gtld-tech@icann.org Subject: Re: [gtld-tech] Delegated strings: WHOIS & SLAs... Actually, as whois service is tested prior to delegation, you have to enter the zone with whois not in the TLD in the first place, and then using an IANA change request to move it. ICANN mentioned that the main requirement for standardised whois.nic.<TLD> is CA-related activities, so they will probably dont mind not having whois.nic.<TLD> prior to the 120-days after contract signing where you cannot delegate anything besides nic.<TLD> Rubens On Nov 20, 2013, at 12:25 PM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
I'm using whois.nic.<TLD> - and, yes, nic.<TLD> is properly delegated and reachable in that case, but "whois.nic.<tld>" returns an NXDOMAIN. My understanding is that ICANN requires the WHOIS service to be offered under that hostname... See the respective specification in the AGB..
Indeed, the IANA record shows a different server - so, do i understand correctly that you can actually submit to IANA a different WHOIS server than the one required by ICANN? Can anyone who's already delegated confirm this?
Alex
-----Ursprüngliche Nachricht----- Von: Rubens Kuhl [mailto:rubensk@nic.br] Gesendet: Mittwoch, 20. November 2013 15:02 An: Alexander Mayrhofer Cc: gtld-tech@icann.org Betreff: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ?
Rubens
On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised
to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
In an ideal world they would all be using _nicname._tcp.tld SRV records: jay$ dig +short _nicname._tcp.nz srv 0 0 43 whois.srs.net.nz. I've only checked ten and none have it. Old article here: http://www.circleid.com/posts/whois_server_address_registry/ Jay On 20/11/2013, at 1:03 pm, Greg Aaron <greg@illumintel.com> wrote:
FYI, Spec 4: "Registration Data Directory Services. Until ICANN requires a different protocol, Registry Operator will operate a WHOIS service available via port 43 in accordance with RFC 3912, and a web-based Directory Service at <whois.nic.TLD> providing free public query-based access to at least the following elements in the following format."
So web-based MUST be at nic.tld. But oddly, I don’t see that whois.nic.tld was required for port 43 service.
One would think that if a TLD has a name in the zone, then WHOIS service would be available.
All best, --Greg
-----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Rubens Kuhl Sent: Wednesday, November 20, 2013 10:29 AM To: Alexander Mayrhofer Cc: gtld-tech@icann.org Subject: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Actually, as whois service is tested prior to delegation, you have to enter the zone with whois not in the TLD in the first place, and then using an IANA change request to move it.
ICANN mentioned that the main requirement for standardised whois.nic.<TLD> is CA-related activities, so they will probably don’t mind not having whois.nic.<TLD> prior to the 120-days after contract signing where you cannot delegate anything besides nic.<TLD>
Rubens
On Nov 20, 2013, at 12:25 PM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
I'm using whois.nic.<TLD> - and, yes, nic.<TLD> is properly delegated and reachable in that case, but "whois.nic.<tld>" returns an NXDOMAIN. My understanding is that ICANN requires the WHOIS service to be offered under that hostname... See the respective specification in the AGB..
Indeed, the IANA record shows a different server - so, do i understand correctly that you can actually submit to IANA a different WHOIS server than the one required by ICANN? Can anyone who's already delegated confirm this?
Alex
-----Ursprüngliche Nachricht----- Von: Rubens Kuhl [mailto:rubensk@nic.br] Gesendet: Mittwoch, 20. November 2013 15:02 An: Alexander Mayrhofer Cc: gtld-tech@icann.org Betreff: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ?
Rubens
On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised
to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
gTLDs can’t delegate names with _ due to policy, so you won’t see them. And as _tcp is also a threat vector, I don’t see that changing in the future. Rubens On Nov 20, 2013, at 2:43 PM, Jay Daley <jay@nzrs.net.nz> wrote:
In an ideal world they would all be using _nicname._tcp.tld SRV records:
jay$ dig +short _nicname._tcp.nz srv 0 0 43 whois.srs.net.nz.
I've only checked ten and none have it.
Old article here: http://www.circleid.com/posts/whois_server_address_registry/
Jay
On 20/11/2013, at 1:03 pm, Greg Aaron <greg@illumintel.com> wrote:
FYI, Spec 4: "Registration Data Directory Services. Until ICANN requires a different protocol, Registry Operator will operate a WHOIS service available via port 43 in accordance with RFC 3912, and a web-based Directory Service at <whois.nic.TLD> providing free public query-based access to at least the following elements in the following format."
So web-based MUST be at nic.tld. But oddly, I don’t see that whois.nic.tld was required for port 43 service.
One would think that if a TLD has a name in the zone, then WHOIS service would be available.
All best, --Greg
-----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Rubens Kuhl Sent: Wednesday, November 20, 2013 10:29 AM To: Alexander Mayrhofer Cc: gtld-tech@icann.org Subject: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Actually, as whois service is tested prior to delegation, you have to enter the zone with whois not in the TLD in the first place, and then using an IANA change request to move it.
ICANN mentioned that the main requirement for standardised whois.nic.<TLD> is CA-related activities, so they will probably don’t mind not having whois.nic.<TLD> prior to the 120-days after contract signing where you cannot delegate anything besides nic.<TLD>
Rubens
On Nov 20, 2013, at 12:25 PM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
I'm using whois.nic.<TLD> - and, yes, nic.<TLD> is properly delegated and reachable in that case, but "whois.nic.<tld>" returns an NXDOMAIN. My understanding is that ICANN requires the WHOIS service to be offered under that hostname... See the respective specification in the AGB..
Indeed, the IANA record shows a different server - so, do i understand correctly that you can actually submit to IANA a different WHOIS server than the one required by ICANN? Can anyone who's already delegated confirm this?
Alex
-----Ursprüngliche Nachricht----- Von: Rubens Kuhl [mailto:rubensk@nic.br] Gesendet: Mittwoch, 20. November 2013 15:02 An: Alexander Mayrhofer Cc: gtld-tech@icann.org Betreff: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ?
Rubens
On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised
to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
On 20/11/2013, at 2:46 pm, Rubens Kuhl <rubensk@nic.br> wrote:
gTLDs can’t delegate names with _ due to policy, so you won’t see them. And as _tcp is also a threat vector, I don’t see that changing in the future.
It's not a delegation, nor is it a registration - are "control" records forbidden to new TLDs? Jay
Rubens
On Nov 20, 2013, at 2:43 PM, Jay Daley <jay@nzrs.net.nz> wrote:
In an ideal world they would all be using _nicname._tcp.tld SRV records:
jay$ dig +short _nicname._tcp.nz srv 0 0 43 whois.srs.net.nz.
I've only checked ten and none have it.
Old article here: http://www.circleid.com/posts/whois_server_address_registry/
Jay
On 20/11/2013, at 1:03 pm, Greg Aaron <greg@illumintel.com> wrote:
FYI, Spec 4: "Registration Data Directory Services. Until ICANN requires a different protocol, Registry Operator will operate a WHOIS service available via port 43 in accordance with RFC 3912, and a web-based Directory Service at <whois.nic.TLD> providing free public query-based access to at least the following elements in the following format."
So web-based MUST be at nic.tld. But oddly, I don’t see that whois.nic.tld was required for port 43 service.
One would think that if a TLD has a name in the zone, then WHOIS service would be available.
All best, --Greg
-----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Rubens Kuhl Sent: Wednesday, November 20, 2013 10:29 AM To: Alexander Mayrhofer Cc: gtld-tech@icann.org Subject: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Actually, as whois service is tested prior to delegation, you have to enter the zone with whois not in the TLD in the first place, and then using an IANA change request to move it.
ICANN mentioned that the main requirement for standardised whois.nic.<TLD> is CA-related activities, so they will probably don’t mind not having whois.nic.<TLD> prior to the 120-days after contract signing where you cannot delegate anything besides nic.<TLD>
Rubens
On Nov 20, 2013, at 12:25 PM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
I'm using whois.nic.<TLD> - and, yes, nic.<TLD> is properly delegated and reachable in that case, but "whois.nic.<tld>" returns an NXDOMAIN. My understanding is that ICANN requires the WHOIS service to be offered under that hostname... See the respective specification in the AGB..
Indeed, the IANA record shows a different server - so, do i understand correctly that you can actually submit to IANA a different WHOIS server than the one required by ICANN? Can anyone who's already delegated confirm this?
Alex
-----Ursprüngliche Nachricht----- Von: Rubens Kuhl [mailto:rubensk@nic.br] Gesendet: Mittwoch, 20. November 2013 15:02 An: Alexander Mayrhofer Cc: gtld-tech@icann.org Betreff: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
Are you using whois.nic.<TLD> or the WHOIS server mentioned at http://www.iana.org/whois?q=<TLD> ?
Rubens
On Nov 20, 2013, at 10:53 AM, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised
to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
On 20/11/2013 17:48, Jay Daley wrote:
On 20/11/2013, at 2:46 pm, Rubens Kuhl <rubensk@nic.br> wrote:
gTLDs can’t delegate names with _ due to policy, so you won’t see them. And as _tcp is also a threat vector, I don’t see that changing in the future.
It's not a delegation, nor is it a registration - are "control" records forbidden to new TLDs?
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else. G. -- Gavin Brown Chief Technology Officer CentralNic Group plc (LSE:CNIC) Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/ CentralNic Group plc is a company registered in England and Wales with company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
On Nov 20, 2013, at 8:00 PM, John Levine <johnl@taugh.com> wrote:
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else.
That's at the apex of the TLD.
By my count _whois._tcp.tld is two levels down.
R's, John
PS: What threat model do people believe is enabled by _tcp?
Include namespace collisions in the mix and you could possibly divert corporate infrastructure to rogue servers. http://www.icann.org/en/about/staff/security/ssr/name-collision-02aug13-en.p... http://forum.icann.org/lists/comments-name-collision-05aug13/pdfOPzpyE9PtF.p... Name includes _ldap or _kerberos at the lowest level _ldap._tcp.dc._msdcs.<etc.> _kerberos._tcp.dc._msdcs.<etc.> Name includes _sip, _sipinternal, _sipinternaltls, _sipfederationtls, or _sips at the lowest level _sip._udp.<etc.> Rubens
On 20/11/2013 23:00, John Levine wrote:
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else.
That's at the apex of the TLD.
By my count _whois._tcp.tld is two levels down.
_tcp.tld could not be delegated as "_tcp" is not permissable as a delegation. The standard Appendix A in the gTLD Registry Agreement states that other records can be added, once an RSEP evaluation has taken place "to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS". G. -- Gavin Brown Chief Technology Officer CentralNic Group plc (LSE:CNIC) Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/ CentralNic Group plc is a company registered in England and Wales with company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
On 21/11/2013, at 6:13 am, Gavin Brown <gavin.brown@centralnic.com> wrote:
On 20/11/2013 23:00, John Levine wrote:
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else.
That's at the apex of the TLD.
By my count _whois._tcp.tld is two levels down.
_tcp.tld could not be delegated as "_tcp" is not permissable as a delegation.
Unless ICANN has redefined the word 'delegation' this is not a delegation as there are no NS records for _tcp.
The standard Appendix A in the gTLD Registry Agreement states that other records can be added, once an RSEP evaluation has taken place "to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS".
That seems sensible but I wonder if it could be short cut on the basis that 20 or so TLDs including some of the largest already have this record and the world has not ended? cheers Jay -- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
The standard Appendix A in the gTLD Registry Agreement states that other records can be added, once an RSEP evaluation has taken place "to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS".
That seems sensible but I wonder if it could be short cut on the basis that 20 or so TLDs including some of the largest already have this record and the world has not ended?
The same can be said about dot-less domains (records other NS/DS at the TLD level), but there are both contractual limitations and technical reports against those. Rubens
On 21/11/2013, at 11:03 am, Rubens Kuhl <rubensk@nic.br> wrote:
The standard Appendix A in the gTLD Registry Agreement states that other records can be added, once an RSEP evaluation has taken place "to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS".
That seems sensible but I wonder if it could be short cut on the basis that 20 or so TLDs including some of the largest already have this record and the world has not ended?
The same can be said about dot-less domains (records other NS/DS at the TLD level), but there are both contractual limitations and technical reports against those.
I think you've explained why the same could not be said about dotless domains! Anyway, this is nothing to do with dotless domains. Jay
Rubens
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
On 11/21/2013 07:33 AM, Jay Daley wrote:
On 21/11/2013, at 6:13 am, Gavin Brown <gavin.brown@centralnic.com> wrote:
On 20/11/2013 23:00, John Levine wrote:
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else.
That's at the apex of the TLD.
By my count _whois._tcp.tld is two levels down.
_tcp.tld could not be delegated as "_tcp" is not permissable as a delegation.
Unless ICANN has redefined the word 'delegation' this is not a delegation as there are no NS records for _tcp.
The standard Appendix A in the gTLD Registry Agreement states that other records can be added, once an RSEP evaluation has taken place "to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS".
That seems sensible but I wonder if it could be short cut on the basis that 20 or so TLDs including some of the largest already have this record and the world has not ended?
Not to mention the >60 TLDs with TXTs, the most popular one being the "generation time" of the zone. Hugo
That seems sensible but I wonder if it could be short cut on the basis that 20 or so TLDs including some of the largest already have this record and the world has not ended?
Considering that there have been apex A and AAAA records in many ccTLDs for 15 years, probably not. I don't think SRV at the TLD apex is a problem, but there's a lot of both good and bad cruft floating around. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
Whilst right now putting in the SRV record for WhoIs would be against our contracts, ICANN has committed that if that path is the chosen path for WEIRDS they would amend our contracts to allow it to be used. I see no reason why we can't have such amendment done now. Can an ICANN staffer on this list please comment? Thanks Chris -----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of John R Levine Sent: Friday, 22 November 2013 3:15 AM To: Jay Daley Cc: gtld-tech@icann.org Subject: Re: [gtld-tech] Delegated strings: WHOIS & SLAs...
That seems sensible but I wonder if it could be short cut on the basis that 20 or so TLDs including some of the largest already have this record and the world has not ended?
Considering that there have been apex A and AAAA records in many ccTLDs for 15 years, probably not. I don't think SRV at the TLD apex is a problem, but there's a lot of both good and bad cruft floating around. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
On 2013-11-21, at 14:11, Chris Wright <chris@ausregistry.com.au> wrote:
Whilst right now putting in the SRV record for WhoIs would be against our contracts,
For clarity, is there a contractual reason why a registry operator couldn't delegate _whois._tcp.TLD and serve the apex SRV record in a separate zone? Joe
For clarity, is there a contractual reason why a registry operator couldn't delegate _whois._tcp.TLD and serve the apex SRV record in a separate zone?
The contracts specify the languages in which registries will accept registrations, and no language table includes an underscore. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
On 2013-11-21, at 14:41, John R Levine <johnl@taugh.com> wrote:
For clarity, is there a contractual reason why a registry operator couldn't delegate _whois._tcp.TLD and serve the apex SRV record in a separate zone?
The contracts specify the languages in which registries will accept registrations, and no language table includes an underscore.
... and no delegation is permitted without a corresponding registration, presumably? Joe
... and no delegation is permitted without a corresponding registration ...
Joe, I came across this situation when a "thread leasor" associated a registry to the "thread leasor"'s client, and then declined to convey the registrant data to the registrar from which the "thread" was "leased". After discussion with ICANN General Counsel on the problem presented to a registrar when a domain was registered "by" the registrar (in fact by some form of reseller) but without the underlying registrant data (or proof of payment as that too is a required element, so equivalent for this purpose), communicated to the registrar of record, the conclusion was that the registration was invalid. So my guess is that delegation without registration will lead you, or whom ever wants to skate on that ice, to a similar awkwardness. YMMV, Eric
... and no delegation is permitted without a corresponding registration ...
I always understood a delegation to mean NS records, or maybe a DNAME. We're talking about SRV here, nothing delegated to anyone. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
On 2013-11-21, at 15:03, John R Levine <johnl@taugh.com> wrote:
... and no delegation is permitted without a corresponding registration ...
I always understood a delegation to mean NS records, or maybe a DNAME.
We're talking about SRV here, nothing delegated to anyone.
Well, there are two ways to arrange for the name _nicname._tcp.TLD to have attendant SRV records -- one is to insert records into the TLD zone, and the other is to stick a zone cut between _nicname._tcp.TLD and TLD (in one of the two places). I've heard that the first approach is no good because the registry agreement today prohibits it. I've also heard that the second approach is no good because a delegation without a corresponding registration is a minefield, and that a registration of the name _tcp is not possible because of script codepoint constraints. So I think we've worked through all the possible options, and the answer is "contractually not possible right now". Joe
On 21/11/2013, at 5:48 pm, Joe Abley <jabley@hopcount.ca> wrote:
On 2013-11-21, at 15:03, John R Levine <johnl@taugh.com> wrote:
... and no delegation is permitted without a corresponding registration ...
I always understood a delegation to mean NS records, or maybe a DNAME.
We're talking about SRV here, nothing delegated to anyone.
Well, there are two ways to arrange for the name _nicname._tcp.TLD to have attendant SRV records -- one is to insert records into the TLD zone, and the other is to stick a zone cut between _nicname._tcp.TLD and TLD (in one of the two places).
I've heard that the first approach is no good because the registry agreement today prohibits it.
Actually what people have said is 1. Can't have a delegation that begins with _. This isn't a delegation. 2. Can't have a record at the apex. This is not at the apex. Therefore there does not appear to be any contractual prohibition on a _nicname._tcp record unless ICANN has redefined the meaning of 'delegation'. Jay
I've also heard that the second approach is no good because a delegation without a corresponding registration is a minefield, and that a registration of the name _tcp is not possible because of script codepoint constraints.
So I think we've worked through all the possible options, and the answer is "contractually not possible right now".
Joe
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
On 2013-11-21, at 16:27, Jay Daley <jay@nzrs.net.nz> wrote:
Actually what people have said is
1. Can't have a delegation that begins with _. This isn't a delegation.
People have said you can't have a registration that contains a _, and that you can't easily add a delegation without a registration. Whether or not there's a delegation depends on how the name is provisioned. I'm not sure why you would assume there could not be a delegation.
2. Can't have a record at the apex. This is not at the apex.
What I heard was that the only records that can be added to the zones are DNSSEC scaffolding, apex zone records required by the protocol, delegations and glue. But I was really just attempting to clarify some of the confusing statements on the list, and I'm not trying to start an argument. Seems like I'm not adding much light here, so perhaps I'll fade away again :-) Joe
On 21/11/2013, at 4:35 pm, Joe Abley <jabley@hopcount.ca> wrote:
On 2013-11-21, at 14:11, Chris Wright <chris@ausregistry.com.au> wrote:
Whilst right now putting in the SRV record for WhoIs would be against our contracts,
For clarity, is there a contractual reason why a registry operator couldn't delegate _whois._tcp.TLD and serve the apex SRV record in a separate zone?
The protocol is _nicname not _whois. Been like that since like forever. Jay
Joe
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
On 2013-11-21, at 04:13, Gavin Brown <gavin.brown@centralnic.com> wrote:
On 20/11/2013 23:00, John Levine wrote:
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else.
That's at the apex of the TLD.
By my count _whois._tcp.tld is two levels down.
_tcp.tld could not be delegated as "_tcp" is not permissable as a delegation.
Not permissible why? Joe
_tcp.tld could not be delegated as "_tcp" is not permissable as a delegation.
That hardly seems relevant since nobody's suggesting delegating the name. It'd be an administrative bit of the TLD itself. In the IETF WEIRDS group we've been scratching our heads for months about how to publish the location of a TLD's RDAP (son-of-WHOIS) server. A SRV record is definitely one of the options. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
On 21/11/2013, at 6:13 am, Gavin Brown <gavin.brown@centralnic.com> wrote:
On 20/11/2013 23:00, John Levine wrote:
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else.
That's at the apex of the TLD.
By my count _whois._tcp.tld is two levels down.
_tcp.tld could not be delegated as "_tcp" is not permissable as a delegation.
The standard Appendix A in the gTLD Registry Agreement states that other records can be added, once an RSEP evaluation has taken place "to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS".
Took me a long time to find this (section 2.2.3.3 of the Applicant Guidebook, can't find any appendix so please send if it is different) and that is very clearly about records at the apex. We are not talking about a record at the apex. Jay
G.
-- Gavin Brown Chief Technology Officer CentralNic Group plc (LSE:CNIC) Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/
CentralNic Group plc is a company registered in England and Wales with company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
On 21/11/2013, at 6:25 pm, Jay Daley <jay@nzrs.net.nz> wrote:
The standard Appendix A in the gTLD Registry Agreement states that other records can be added, once an RSEP evaluation has taken place "to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS".
Took me a long time to find this (section 2.2.3.3 of the Applicant Guidebook, can't find any appendix so please send if it is different) and that is very clearly about records at the apex. We are not talking about a record at the apex.
Sorry, I take that back. It depends on how you interpret it. The text is:
ICANN receives a number of inquiries about use of various record types in a registry zone, as entities contemplate different business and technical models. Permissible zone contents for a TLD zone are:
• Apex SOA record.
• Apex NS records and in-bailiwick glue for the TLD’s DNS servers.
• NS records and in-bailiwick glue for DNS servers of registered names in the TLD.
• DS records for registered names in the TLD.
• Records associated with signing the TLD zone (i.e.,
RRSIG, DNSKEY, NSEC, and NSEC3).
An applicant wishing to place any other record types into its TLD zone should describe in detail its proposal in the registry services section of the application. This will be evaluated and could result in an extended evaluation to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS. Applicants should be aware that a service based on use of less-common DNS resource records in the TLD zone, even if approved in the registry services review, might not work as intended for all users due to lack of application support.
Jay -- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley
The Registry that had the problem fixed and now all their new gTLDs have their whois.nic.<tld> service back online. The rest of the registry operators had it working. -- Francisco. On 11/20/13 10:53 AM, "Alexander Mayrhofer" <alexander.mayrhofer@nic.at> wrote:
Looking at some of the recently delegated new gTLDs, i was very surprised to learn that the WHOIS service is unreachable for some of those TLDs (which makes me wonder how they passed PDT, or why the service degraded since then?). Anyways, since WHOIS is included in the SLA requirements of ICANN, this makes me also wonder when the SLA actually "kicks in", and, whether the SLAs are actually being measured right now by ICANN ...
Any information about this?
Alex
participants (13)
-
Alexander Mayrhofer -
Chris Wright -
Eric Brunner-Williams -
Francisco Arias -
Gavin Brown -
Greg Aaron -
Hugo Salgado -
Jay Daley -
Joe Abley -
John Levine -
John R Levine
-
Rubens Kuhl -
Seth Goldman