Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open Q / Discussion: SHOULD Subdomain Registries be providing RDAP/Whois to be included in PSL? #1813

Open
dnsguru opened this issue Jul 28, 2023 · 14 comments
Assignees
Labels
MAY DESERVE SECURITY REVIEW This is a PR that might benefit from a re-review ❔❔ question Open question, please look / answer / respond

Comments

@dnsguru
Copy link
Member

dnsguru commented Jul 28, 2023

There is a growing quantity of requests for subdomain eTLD+ with aspirations of offering segmented customer namespace.

Given that registries are increasing the wholesale price of domain names, and the registrars are passing these prices through to the registrant, low-cost options are becoming attractive for hosting providers in order to serve their customers.

Low-cost options help customers start their journey, but unfortunately are also an area that can get exploited for bad things.

Question for the community:
SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?

@dnsguru dnsguru added the ❔❔ question Open question, please look / answer / respond label Jul 28, 2023
@dnsguru dnsguru self-assigned this Jul 28, 2023
@dnsguru dnsguru changed the title Discussion: SHOULD Subdomain Registries providing RDAP/Whois? Open Q / Discussion: SHOULD Subdomain Registries be providing RDAP/Whois to be included in PSL? Jul 29, 2023
@dnsguru
Copy link
Member Author

dnsguru commented Aug 1, 2023

#1612 as an example has indicated that their whole namespace was flagged by Google Safebrowsing - if this was triggered by a enough volume of perps underneath the submitted string that the string was blocked in chrome. What is not clear about this PR, as it has not been processed, is if the hop.sh namespace had been in the PSL, would Google have handled their blocking differently or at all.

Assuming that the action by Google affected legitimate users that were not phishing as a consequence of the parties that were phishing, It seems that as a tradeoff for partitioning the namespace to shelter the impacts is that there should be transparency into the perps directly.

@weppos
Copy link
Member

weppos commented Aug 1, 2023

SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?

How would this requirement "benefit" the PSL management process? From what I've read above, it sounds like the choice is based on some consumer-specific use-case, and we generally try to stay consumer neutral.

@gbxyz
Copy link
Contributor

gbxyz commented Aug 1, 2023

Some "off the top of my head" comments:

  1. I don't see any point in requiring port-43 whois. RDAP should be fine and is simple enough to implement.
  2. However, in the absence of multi-registrar Shared Registry System, and given that the GDPR must still be complied with, what would the RDAP records actually contain that would be useful to third party consumers?
  3. This might help solve the problem of discovery of RDDS services for subdomain registries: IANA only accepts registrations of TLDs into the bootstrap registry, so (to use a real-world example I've had to deal with) the RDAP service for .ac.uk is not discoverable unless the .uk registry operator implements a redirect. The PSL could provide a "lookaside" bootstrap registry for SLDs, although that is yet another overloading of the function and purpose of the PSL.

@dnsguru
Copy link
Member Author

dnsguru commented Aug 1, 2023

Some "off the top of my head" comments:

Thanks, Gavin. As an author of RDAP stuff widely used, your comments are superappreciated...

  1. I don't see any point in requiring port-43 whois. RDAP should be fine and is simple enough to implement.

Whois was left there as nomenclature because mostfolk don't recognize what RDAP is.

  1. However, in the absence of multi-registrar Shared Registry System, and given that the GDPR must still be complied with, what would the RDAP records actually contain that would be useful to third party consumers?

This topic makes its own gravy, but at a high level it seems like at very least an abuse contact email or webform url that can be used to complain about or reach the subdomain operator.

  1. This might help solve the problem of discovery of RDDS services for subdomain registries: IANA only accepts registrations of TLDs into the bootstrap registry, so (to use a real-world example I've had to deal with) the RDAP service for .ac.uk is not discoverable unless the .uk registry operator implements a redirect. The PSL could provide a "lookaside" bootstrap registry for SLDs, although that is yet another overloading of the function and purpose of the PSL.

Really good point and I suppose that would need solving, and would be helpful to have some form of top-down RDDS discovery tree that was more friendly to subspaces.

Not trying to discuss the bootstrap for the RDDS so much, and that is a probem thirsty for a solution, but rather the objective of this issue was to add more accountability and reachability at the point closest to the problem space due to the affectation that a PSL entry has beyond just cookies, SSL and obvious ones.

@dnsguru
Copy link
Member Author

dnsguru commented Aug 1, 2023

Recieved the following comment:

What constitutes a Subdomain Registry?

  • Does it include registries of ccTLDs that operate on a third-level registration basis (.co.uk)
  • Does it include registries that basically resell subdomains of domains they own/manage to registrars only?
  • Does it include registries that reseller subdomains of domains they own/manage to end customers?
  • Does it include hosting service providers who offer "free domains" (subdomains) to their hosting customers?
  • Does it include Dynamic DNS providers who offer redirects under subdomains of their domains to their customers? (for example Synology under *.quickconnect.to).
  • Does it include URL Shortening Services that use subdomains? (for example rb.gy)

@dnsguru
Copy link
Member Author

dnsguru commented Aug 3, 2023

This seems like perhaps a series of questions that would be good to capture at the intake when requests are being submitted, along with, at very minimum, a means to contact the administrator of the namespace(s) when there is abuse/phishing/pharming/malware etc other activity that requires prompt action.

@oldfrogger
Copy link

it seems to be a good idea, the issue is, owners of such lists have to educate a lot of parties how to identify the domain status, contact the party registering e.t.c., so having it in the list as WHOIS:_____ / RDAP:NONE or something like it is ok

@dnsguru
Copy link
Member Author

dnsguru commented Aug 8, 2023

Adding Abuse contact or Abuse Form URL may be where we are heading for this

@dnsguru
Copy link
Member Author

dnsguru commented Aug 23, 2023

I am going to leave this issue open but create another that is a call for comments on requiring abuse contacts being present in Pull Requests and later close the RDAP / WHOIS requirement as wontfix for now, as that seems heavier touch than should be expected for most submitters where an abuse contact seems very reasonable in contrast.

@simon-friedberger
Copy link
Contributor

@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.

@dnsguru
Copy link
Member Author

dnsguru commented Jun 18, 2024

@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.

I spent some time scrolling back through the comments and engagement on this topic. In summary, it seemed like the requestors that are intending to operate subdomain registries for third parties or 'domains for customers' are a subset of the PSL Pull Request population... there are other requestors as well...

So, in thinking this through, I would like to propose we add a checkbox to the template that lets a requestor identify that they will be making their requested namespace available to third parties and that they will provide an abuse contact and/or whois/rdap link where appropriate, and then we introduce two additional (optional) comment lines for:

  • abuse contact email
  • rdap/whois server

something to the effect of:
[ ] I/we are making this request to provide partitioned namespace for third parties and will provide abuse contact and/or 'whois' server details in our submission

and then some comment line syntax for their submission .dat file such as:

// abuseContact: [email protected]
// rdapLookup: [put the respective URI here]
pslentry.wookie.bar.meh

Because it is commented, it would be ignorable. Also, it might be the case that there would be different abuse/whois entries for a given namespace within a section, so it would likely be the case we'd need a description about how it should be interpreted. A thought here would be that these being present in the section header would be applicable to all things in that section, and then those entries above specific domains would be exceptions. Where it is not present in the section header, the entry above a domain would apply to that domain only.

@oldfrogger
Copy link

oldfrogger commented Jun 18, 2024 via email

@simon-friedberger
Copy link
Contributor

@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.

I spent some time scrolling back through the comments and engagement on this topic. In summary, it seemed like the requestors that are intending to operate subdomain registries for third parties or 'domains for customers' are a subset of the PSL Pull Request population... there are other requestors as well...

Can you give an example? Do you think that is a significant proportion? My assumption would be that people want cookies etc. separated because there is some amount of distrust between these parties and therefore, everyone should provide an abuse contact.

@dnsguru
Copy link
Member Author

dnsguru commented Oct 4, 2024

I'm good with everyone providing an abuse contact - perhaps we update the template for this should we go that direction?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
MAY DESERVE SECURITY REVIEW This is a PR that might benefit from a re-review ❔❔ question Open question, please look / answer / respond
Projects
None yet
Development

No branches or pull requests

5 participants