We're currently looking into submitting our first ICANN reports for the new gTLDs we host. One of the fields in the ICANN reporting data is the "zfa-passwords" field, which is supposed to contain the number of active users for the Zone File Access service of the TLD. In the light of CZDS, we're assuming that this field can be left set to "0", because there are no direct zone file access users with the individual registry (and that ICANN gathers the number of users directly from CZDS). Can someone (preferrably from ICANN) confirm this? thanks, Alex
In article <19F54F2956911544A32543B8A9BDE0750CA3318D@NICS-EXCH2.sbg.nic.at> you write:
We're currently looking into submitting our first ICANN reports for the new gTLDs we host. One of the fields in the ICANN reporting data is the "zfa-passwords" field, which is supposed to contain the number of active users for the Zone File Access service of the TLD.
In the light of CZDS, we're assuming that this field can be left set to "0", because there are no direct zone file access users with the individual registry (and that ICANN gathers the number of users directly from CZDS).
CDZS allows registries to provide ZFA downloads through CDZS, or through an API that provides the user a password to download directly from the registry. Somewhat to my surprise all the registries appear to be doing the CDZS route, so at this point none of the new registries have any passwords. The volume of ZFA downloads can potentially be pretty big. By my estimates, the traffic for ZFA downloads for .COM are roughly the same as for all of the .COM WHOIS or all of the .COM DNS server traffic. If any of the new TLDs becomes large, i.e., tens of millions of domains, and there are a lot of ZFA users, they and ICANN may want to revisit the distribution plan.
Hello everyone, We have got a problem when ICANN tends to download the bulk zone file from our sftp server. We have already put the zone file there, but the result returns from us shows that No zone files found within the past 3 days. The files under the top-levl directory of the sftp server are: * xn--xxxx.zone.gz * xn--xxxx.zone.gz.md5 * xn--xxxx.zone.gz.sig Complied with the AGB specification 4,section 2. And from the log we found that ICANN can login successfully. Does any one encounter this problem, and give me a hand, thanks very much! Kind regards, Jiagui Xie xiejg From: John Levine Date: 2014-02-17 12:02 To: gtld-tech Subject: Re: [gtld-tech] "zfa-passwords" vs CZDS In article <19F54F2956911544A32543B8A9BDE0750CA3318D@NICS-EXCH2.sbg.nic.at> you write:
We're currently looking into submitting our first ICANN reports for the new gTLDs we host. One of the fields in the ICANN reporting data is the "zfa-passwords" field, which is supposed to contain the number of active users for the Zone File Access service of the TLD.
In the light of CZDS, we're assuming that this field can be left set to "0", because there are no direct zone file access users with the individual registry (and that ICANN gathers the number of users directly from CZDS).
CDZS allows registries to provide ZFA downloads through CDZS, or through an API that provides the user a password to download directly from the registry. Somewhat to my surprise all the registries appear to be doing the CDZS route, so at this point none of the new registries have any passwords. The volume of ZFA downloads can potentially be pretty big. By my estimates, the traffic for ZFA downloads for .COM are roughly the same as for all of the .COM WHOIS or all of the .COM DNS server traffic. If any of the new TLDs becomes large, i.e., tens of millions of domains, and there are a lot of ZFA users, they and ICANN may want to revisit the distribution plan.
I second Alex¹s question. If the CZDS is being used, the registry is not authoritative for the zfa-passwords count. If CZDS is being used is a zfa-passwords value of ³0² acceptable or should another value be used like ³N/A²? Thanks, -- JG James Gould Principal Software Engineer jgould@verisign.com 703-948-3271 (Office) 12061 Bluemont Way Reston, VA 20190 VerisignInc.com On 2/13/14, 9:13 AM, "Alexander Mayrhofer" <alexander.mayrhofer@nic.at> wrote:
We're currently looking into submitting our first ICANN reports for the new gTLDs we host. One of the fields in the ICANN reporting data is the "zfa-passwords" field, which is supposed to contain the number of active users for the Zone File Access service of the TLD.
In the light of CZDS, we're assuming that this field can be left set to "0", because there are no direct zone file access users with the individual registry (and that ICANN gathers the number of users directly from CZDS).
Can someone (preferrably from ICANN) confirm this?
thanks, Alex
In article <CF571C87.5B8DE%jgould@verisign.com> you write:
I second Alex�s question. If the CZDS is being used, the registry is not authoritative for the zfa-passwords count. If CZDS is being used is a zfa-passwords value of �0� acceptable or should another value be used like �N/A�?
But every CZDS application for access to a zone has to be approved by the registry. Don't you know how many you approved?
John, The issue is that there is no system to system interface between the CZDS and the registry operator or backend registry operator for this count. It does not make sense to have this manually counted by the approver to manually enter it into the registry system that generates the report and if done perfectly should be a replica of what is available directly in the authority source of the CZDS. If a TLD is using the CZDS the best source for the zfa-password count is CZDS and not the registry. JG James F. Gould Principal Engineer Verisign jgould@verisign.com On Mar 25, 2014, at 1:50 PM, "John Levine" <johnl@taugh.com> wrote:
In article <CF571C87.5B8DE%jgould@verisign.com> you write:
I second Alex�s question. If the CZDS is being used, the registry is not authoritative for the zfa-passwords count. If CZDS is being used is a zfa-passwords value of �0� acceptable or should another value be used like �N/A�?
But every CZDS application for access to a zone has to be approved by the registry. Don't you know how many you approved?
The issue is that there is no system to system interface between the CZDS and the registry operator or backend registry operator for this count. It does not make sense to have this manually counted by the approver to manually enter it into the registry system that generates the report and if done perfectly should be a replica of what is available directly in the authority source of the CZDS. If a TLD is using the CZDS the best source for the zfa-password count is CZDS and not the registry.
Yes, I realize that, but if a registry's processes are so sloppy that it doesn't remember whose CZDS access applications it's approved, it's hard to have a lot of sympathy. The CZDS process makes each applicant apply separately to each registry for each zone. If in reality you don't care, and don't even remember who applied, we could make the process a whole lot simpler. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
Hello, On 26/03/2014 15:31, John R Levine wrote:
Yes, I realize that, but if a registry's processes are so sloppy that it doesn't remember whose CZDS access applications it's approved, it's hard to have a lot of sympathy.
True; then again, the CZDS is supposed to provide a workflow tool for registries comprehensive enough to replace any local means needed to keep track of approvals. In any case, it doesn't make much sense to report figures back to ICANN which ICANN can easily determine by looking at the data of a system they provide themselves. Best regards, Thomas Corte TANGO Registry Systems -- ____________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeißer-Weg 9 44227 Dortmund Deutschland Dipl.-Informatiker Tel: +49 231 9703-0 Thomas Corte Fax: +49 231 9703-200 Stellvertretender Leiter SIP: Thomas.Corte@knipp.de Software-Entwicklung E-Mail: Thomas.Corte@knipp.de Registereintrag: Amtsgericht Dortmund, HRB 13728 Geschäftsführer: Dietmar Knipp, Elmar Knipp
I think sending zero accurately reflects the number of passwords issued by registry operator. It's up to ICANN to add that number to the ones they generated thru to their system in order to provide accurate reports either to management or for posting. Rubens Em 26/03/2014, à(s) 11:58:000, Thomas Corte <Thomas.Corte@knipp.de> escreveu:
Hello,
On 26/03/2014 15:31, John R Levine wrote:
Yes, I realize that, but if a registry's processes are so sloppy that it doesn't remember whose CZDS access applications it's approved, it's hard to have a lot of sympathy.
True; then again, the CZDS is supposed to provide a workflow tool for registries comprehensive enough to replace any local means needed to keep track of approvals.
In any case, it doesn't make much sense to report figures back to ICANN which ICANN can easily determine by looking at the data of a system they provide themselves.
Best regards,
Thomas Corte TANGO Registry Systems
-- ____________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeißer-Weg 9 44227 Dortmund Deutschland
Dipl.-Informatiker Tel: +49 231 9703-0 Thomas Corte Fax: +49 231 9703-200 Stellvertretender Leiter SIP: Thomas.Corte@knipp.de Software-Entwicklung E-Mail: Thomas.Corte@knipp.de
Registereintrag: Amtsgericht Dortmund, HRB 13728
Geschäftsführer: Dietmar Knipp, Elmar Knipp
On Mar 26, 2014, at 7:31 AM, John R Levine <johnl@taugh.com> wrote:
Yes, I realize that, but if a registry's processes are so sloppy that it doesn't remember whose CZDS access applications it's approved, it's hard to have a lot of sympathy.
Why would your "un-sloppy" process need to "remember" something that is being kept track of in a database, with an actionable audit trail? You can have a perfect process that does depend on the existence of a database. What happens when you lose the little black notebook where you kept track of who you authorized access to what? Or do you build yet another system to keep a redundant counter around? Best regards -lem
On Mar 26, 2014, at 7:31 AM, John R Levine <johnl@taugh.com> wrote:
Yes, I realize that, but if a registry's processes are so sloppy that it doesn't remember whose CZDS access applications it's approved, it's hard to have a lot of sympathy.
Why would your "un-sloppy" process need to "remember" something that is being kept track of in a database, with an actionable audit trail? You can have a perfect process that does depend on the existence of a database.
Hey, I'm not the one that built a CZDS system that requires every registry to approve every application separately. If, as you appear to be saying, you don't care who applies, please tell ICANN so they can make CZDS faster and simpler for everyone. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
On Mar 26, 2014, at 12:32 PM, John R Levine <johnl@taugh.com> wrote:
Hey, I'm not the one that built a CZDS system that requires every registry to approve every application separately. If, as you appear to be saying, you don't care who applies, please tell ICANN so they can make CZDS faster and simpler for everyone.
Reviewing an application and keeping a redundant count of the ones that are approved are different things. I don't think anybody is arguing against the need to review them. The point in discussion is that the reports are asking the operators for a piece of information that can be more reliably be obtained from a system already under ICANN control. Regards, -lem
I believe the zfa-password report field is a legacy field prior to the definition of the CZDS. Prior to the CZDS, the registry systems were authoritative for the zone file applicants, since they directly made the zone files available to the applicants. With the CZDS, the zone files are provided to the CZDS for distribution to the zone file applicants with no additional system-to-system integration. The CZDS has the registry operator as an actor in the CZDS workflow for additions, but the registry systems are not involved at all. Is the registry operator also in the flow for removals? If not, there is no way that the count will be accurate using the ³little black notebook² approach. It is the registry systems that generate the report, so the question is whether it¹s worth attempting to propagate the zfa-password counter manually from the CZDS to the registry systems for inclusion in the report to ICANN? I don¹t believe it makes much sense to add this complexity for a field that ICANN can get an authoritative answer for using CZDS. My recommendation is to remove this field altogether or populate the value with a place holder value (e.g. empty, ³0", "N/A², ³CZDS") in light of the CZDS. Can ICANN respond to this so that we can come to an agreement on the best approach? Thanks, -- JG James Gould Principal Software Engineer jgould@verisign.com 703-948-3271 (Office) 12061 Bluemont Way Reston, VA 20190 VerisignInc.com On 3/26/14, 2:54 PM, "Luis Muñoz" <lem@isc.org> wrote:
On Mar 26, 2014, at 7:31 AM, John R Levine <johnl@taugh.com> wrote:
Yes, I realize that, but if a registry's processes are so sloppy that it doesn't remember whose CZDS access applications it's approved, it's hard to have a lot of sympathy.
Why would your "un-sloppy" process need to "remember" something that is being kept track of in a database, with an actionable audit trail? You can have a perfect process that does depend on the existence of a database.
What happens when you lose the little black notebook where you kept track of who you authorized access to what? Or do you build yet another system to keep a redundant counter around?
Best regards
-lem
I support removing the field or allowing it to be perpetually 0 (which is probably the least disruptive to all parties for now). As it stands, the data supplied across all TLDs as part of this report is now of unreliable veracity, <- which is the opposite of data ICANN could retrieve from the CZDS. As a general principle, reports such as these which are released to the public, should seek to have as accurate and verifiable data as possible. A necessarily manual process will undermine this principle. Separately, I'd be interested to hear from ICANN whether the CZDS will ever provide an API to TLD operators allowing them to retrieve information and possibly update it as well. Is there a CZDS feature roadmap I've missed? -- Kal Feher -----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Gould, James Sent: Thursday, 27 March 2014 6:43 AM To: Luis Muñoz; John R Levine Cc: gtld-tech@icann.org Subject: Re: [gtld-tech] "zfa-passwords" vs CZDS I believe the zfa-password report field is a legacy field prior to the definition of the CZDS. Prior to the CZDS, the registry systems were authoritative for the zone file applicants, since they directly made the zone files available to the applicants. With the CZDS, the zone files are provided to the CZDS for distribution to the zone file applicants with no additional system-to-system integration. The CZDS has the registry operator as an actor in the CZDS workflow for additions, but the registry systems are not involved at all. Is the registry operator also in the flow for removals? If not, there is no way that the count will be accurate using the ³little black notebook² approach. It is the registry systems that generate the report, so the question is whether it¹s worth attempting to propagate the zfa-password counter manually from the CZDS to the registry systems for inclusion in the report to ICANN? I don¹t believe it makes much sense to add this complexity for a field that ICANN can get an authoritative answer for using CZDS. My recommendation is to remove this field altogether or populate the value with a place holder value (e.g. empty, ³0", "N/A², ³CZDS") in light of the CZDS. Can ICANN respond to this so that we can come to an agreement on the best approach? Thanks, -- JG James Gould Principal Software Engineer jgould@verisign.com 703-948-3271 (Office) 12061 Bluemont Way Reston, VA 20190 VerisignInc.com On 3/26/14, 2:54 PM, "Luis Muñoz" <lem@isc.org> wrote:
On Mar 26, 2014, at 7:31 AM, John R Levine <johnl@taugh.com> wrote:
Yes, I realize that, but if a registry's processes are so sloppy that it doesn't remember whose CZDS access applications it's approved, it's hard to have a lot of sympathy.
Why would your "un-sloppy" process need to "remember" something that is being kept track of in a database, with an actionable audit trail? You can have a perfect process that does depend on the existence of a database.
What happens when you lose the little black notebook where you kept track of who you authorized access to what? Or do you build yet another system to keep a redundant counter around?
Best regards
-lem
On Mar 25, 2014, at 10:50 AM, John Levine <johnl@taugh.com> wrote:
But every CZDS application for access to a zone has to be approved by the registry. Don't you know how many you approved?
That is a very slippery rope and it seldom works. Simply counting the number of active credentials in the system provides a much better view. I would guess that the report specification came before the CZDS was conceived and for whatever reason, the report spec was never updated. Best regards -lem
participants (9)
-
Alexander Mayrhofer -
Gould, James -
John Levine -
John R Levine
-
Kal Feher -
Luis Muñoz -
Rubens Kuhl -
Thomas Corte -
xiejg