[ISOCNZ-L] Domainz and Authentication

9 views
Skip to first unread message

David Zanetti

unread,
Dec 22, 1999, 3:00:00 AM12/22/99
to
Before I begin, I'd like to point out the views expressed below are mine,
and mine alone, and do not represent a statement (official or otherwise)
by the WCC, or any organiation associated with the WCC.

One of the domains that I am the technical contact for, wcc.govt.nz, had
a small number of changes made to it. The changes are not huge, a slight
adjustment of the contact details for the name holder, but the manner in
which they were conducted I believe is somewhat questionable. I have no
issues with the content of the changes, just the way the changes were
handled.

Notification for the changes was sent through to the name holder, and I
was forwarded a copy as part of my job is the Council's DNS. I was
supprised to see any changes at all, given that normally changes would
pass to me to be actioned. I asked those who had access to the
authorisation key who had done it (the last thing I needed was the entry
being broken accidentially :) ) but alas no-one had made the change.

This was pretty suspect to me, so I called Domainz asking who made the
changes. The person I spoke to said that the changes were made based on an
email Domainz received from the nameholder. Even more curious! Could they
forward the email to me, as I had already asked the nameholder and they
didn't recall asking for changes. Nope, they couldn't allow that.

I'm named as the technical contact, but I can't get a copy of any request
of changes made to the domain? After a little discussion, the person
admitted that they couldn't forward it to me because it had been deleted.
(Deleted? But you're quoting from it! Later it would transpire they
actually had a print out of the email. I guess faxing was out of the
question, but as I didn't ask I can't presume it would not have been faxed
to me.. However, there was a great deal of resistance to providing a
copy.)

I wasn't getting anywhere with this call, and gave up. If an email had
been sent requesting the change, it should be in the email logs. Changes
don't take _that_ long to enact, so rather than sift through thousands of
log entries I'd check the last few days. Nope, no email sent to Domainz,
and certainly not from the nameholder.

Time to get the full story from further up in Domainz. That sorta points
us towards my good friend Patrick O'Brien. I have no doubt after reading
the message that I had called he was probably thinking "what's that
bastard want now?". We've sparred a bit, so I don't blame him, and nor do
I expect him to admit here that's the case :)

Patrick aactually helped a lot to fill in the missing bits of the picture.
Domainz had begun emailing name holders to verify that the listed contact
details were correct. On about the 9th of December, the nameholder replied
to such a request for wcc.govt.nz and offered the changes. That explains
why they weren't in the recent logs, because they've been sitting in
someone's inbox for a couple of weeks.

The email was indeed printed to become part of the Domainz audit trail. We
don't know if the audit trail includes headers of messages, but it'd be a
pretty thin audit trail if it didn't. I did not ask if it did, IMO email
is so easily forged that it's hardly an audit trail.

I argued that a simple email exchange with no authorisation keys or any
other methods of checking the idenity defeated the point of having those
authorisation keys. Patrick argued that because the request was initiated
by Domainz, and that the reply came from a similar email address to the
one they emailed, that they needed no more proof of identity. "Common
sense", as Patrick put it, was all that was needed.

Now while this is an interesting story, full of form and colour, why
bother making it public. Ask anyone who has had to get the authorisation
key for a domain what they have to go through. A mere fax with signature
is not enough in some cases, you need much better proof than that.

Is there not a serious misbalance to the whole system if change could
alternatively be made out-of-band on the basis of a simple email exchange?
Why bother with authorisation keys at all then? How safe do you feel your
domains are from being manipulated by someone else? Is the level of proof
required for the change I've described high enough?

--
David Zanetti <da...@earthling.net> <david....@wcc.govt.nz>
Unix Systems Administrator and Postmaster, Wellington City Council
Moderator: nz.politics.announce | My views, not those of the WCC

-
To subscribe/unsubscribe to the isocnz-l mailing list send a message
to majo...@isocnz.org.nz with the keyword subscribe or unsubscribe
as the message plus the list name i.e. unsubscribe isocnz-l


Joe Abley

unread,
Dec 22, 1999, 3:00:00 AM12/22/99
to
On Wed, Dec 22, 1999 at 08:12:03PM +1300, David Zanetti wrote:
|> How safe do you feel your
|> domains are from being manipulated by someone else? Is the level of proof
|> required for the change I've described high enough?

I feel reasonably confident that my domains aren't being manipulated
behind my back. At least, from tonight until January 6 :)

Joe

--
Ua lawa küpono ka hakahaka pä o këia pä malule

Jonathan Ah Kit

unread,
Dec 22, 1999, 3:00:00 AM12/22/99
to
Funny all this, I was acting webmaster of the HVHS website, www.hvhs.ac.nz/,
for a few months while the 'usual' one was somewhere else. To cut it short;
I'll try to be quick:

The story was, at one stage the two of us couldn't work out how come one of
the contacts' e-mail addresses (the one pointing to the 'usual' dude) got
changed to st...@hvhs.ac.nz, which I still hold for some reason. Sure wasn't
me, sure wasn't our 'usual' guy, and the principal's secretary and computers
HoD didn't even know the address existed. (I'd only created it and posted it
on the school site about a month earlier, I think.) And who'd change it to
an address she or he didn't hold, let alone one of mine?

Anyone care to try explain, was this the X-Files or a figment of my
overpowering poetic imagination?

Jonathan. :)

--
--
Jonathan Ah Kit
Co-Editor (so they tell me)
Yearbook
Hutt Valley High School
Lower Hutt
New Zealand
year...@hvhs.ac.nz
ahkit.j...@hvhs.ac.nz
http://www.hvhs.ac.nz/
"Joe Abley" <jab...@patho.gen.nz> wrote in message
news:1999122220...@patho.gen.nz...

Peter Mott

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
> Is there not a serious misbalance to the whole system if change could
> alternatively be made out-of-band on the basis of a simple email exchange?
> Why bother with authorisation keys at all then? How safe do you feel your

> domains are from being manipulated by someone else? Is the level of proof
> required for the change I've described high enough?

Obrien and his cohorts will do what they want until industry wakes up and
organises a change of delegation. This data cleansing is not about
improving data quality. Its about DOMAINZ building a substantial customer
database it can claim ownership of. 50,000+ customers is worth quite a bit
of money these days.

Every ISP that sends domainz customers is building the personal fortunes of
DOMAINZ directors and CEO, and giving that ISOCNZ do gooders cash to run
their club.

Peter Mott
2day.com
-/-

Alan Brown

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
I wonder how long it will take Patrick to start wasting more DOMAINZ and
ISOCNZ money by again threatening baseless legal action in order to gag
public criticism.

Patrick: I suggest you look up the law books on the subject of "barratry."

As far as I'm, aware, it's still a criminal offence and your continued
threats against people who criticise you publically come under that
definition.

Why does ISOCNZ still employ this buffoon as CEO of DOMAINZ? He's proved
time and again that all he's interested in is himself and not the
welfare of the Internet in New Zealand.

Roll on the govt removal of the ISOCNZ/DOMAINZ profit-driven monopoly.

AB

Patrick O'Brien

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
Alan,

What ?

Can you tell me what I am supposed to have done please?

To my knowledge, I have made no public statements on the posting that you
refer.

Patrick

Peter Mott

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
|> What ?
|> Can you tell me what I am supposed to have done please?

|>From the view up here, not a single thing. Thats the problem.

Any why the hell have you mislead us into thinking midday yesterday was
cutoff for changes to the DNS and then announce this afternoon its close of
business today.

That stunt has cost us several hours of time today, and pissed quite a few
people off.

I seem to remember you did it last year as well.

regards

Peter Mott
Chief Enthusiast
2Day.com
-/-

Alan Brown

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
On Thu, 23 Dec 1999, Patrick O'Brien wrote:

|> Alan,


|>
|> What ?
|>
|> Can you tell me what I am supposed to have done please?
|>

|> To my knowledge, I have made no public statements on the posting that you
|> refer.

That's not your style Patrick. I bet you've made baseless legal threats
to the WCC and earthling.net about Dave's posting like you usually do in
these cases.

Would you like to confirm/deny that you've taken this approach?

And have you looked up Barratry yet? Or the penalties?

AB

David Zanetti

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
The following is posted on behalf of Jos Van Herk.

---CUT---
Subject: Domainz and Authentication

To the ISOCNZ list,

I refer to an email posted on Wednesday 22 December 1999 setting out some
personal views of one of the Wellington City Council employees over the
nature of his dealings with Domainz and their CEO, Mr Patrick O'Brien.

The views expressed in that email were the personal views of the author,
were certainly not the views of the Council, and should not have been
published in a form that could be associated with the Council.

Any issues that the council may have with regard to process are always
discussed with Domainz as part of the ongoing business relationship. Domainz
has acted in appropriate manner upon our instructions.

On behalf of the Council I wish to apologise to Domainz and Mr O'Brien and
to reassure them that there is no reason why the past good relationship
enjoyed by the two organisations should not continue."

Yours sincerely

Jos Van Herk
---CUT---

Joe Abley

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
On Fri, Dec 24, 1999 at 10:14:05AM +1300, David Zanetti wrote:
|> The following is posted on behalf of Jos Van Herk.

I'd like to say that I did not find David's previous post at all
offensive, or at all unreasonable.

It's a sad day if users of the registry are not able to provide
criticism without fear of petty reprisals directed at them (through
their employers or otherwise).

Constructive feedback is a vital part of making things better, and
we need more, not less.

Jeo

--
Ua lawa küpono ka hakahaka pä o këia pä malule

-

Joe Abley

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
On Thu, Dec 23, 1999, Alan Brown wrote:
|> On Thu, 23 Dec 1999, Patrick O'Brien wrote:
|>
|> > Alan,
|> >
|> > What ?
|> >
|> > Can you tell me what I am supposed to have done please?
|> >
|> > To my knowledge, I have made no public statements on the posting that you
|> > refer.
|>
|> That's not your style Patrick. I bet you've made baseless legal threats
|> to the WCC and earthling.net about Dave's posting like you usually do in
|> these cases.
|>
|> Would you like to confirm/deny that you've taken this approach?

I suspect that confirmation of this point is no longer required.

Joe

Alan Brown

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
On Fri, 24 Dec 1999, Joe Abley wrote:

|> Constructive feedback is a vital part of making things better, and
|> we need more, not less.

Joe,

If ISOCNZ was in charge of developing WWW, gopher would still be the
only usable tool out there.

Let's hope there's something better than DNS available soon. ISOCNZ
isn't relevant to the day-to-day running of the net and becomes less so
every day, because of petty bureaucrats with no technical clues.

AB

Reply all
Reply to author
Forward
0 new messages