-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open Q / Discussion: SHOULD Subdomain Registries be providing RDAP/Whois to be included in PSL? #1813
Comments
#1612 as an example has indicated that their whole namespace was flagged by Google Safebrowsing - if this was triggered by a enough volume of perps underneath the submitted string that the string was blocked in chrome. What is not clear about this PR, as it has not been processed, is if the hop.sh namespace had been in the PSL, would Google have handled their blocking differently or at all. Assuming that the action by Google affected legitimate users that were not phishing as a consequence of the parties that were phishing, It seems that as a tradeoff for partitioning the namespace to shelter the impacts is that there should be transparency into the perps directly. |
How would this requirement "benefit" the PSL management process? From what I've read above, it sounds like the choice is based on some consumer-specific use-case, and we generally try to stay consumer neutral. |
Some "off the top of my head" comments:
|
Thanks, Gavin. As an author of RDAP stuff widely used, your comments are superappreciated...
Whois was left there as nomenclature because mostfolk don't recognize what RDAP is.
This topic makes its own gravy, but at a high level it seems like at very least an abuse contact email or webform url that can be used to complain about or reach the subdomain operator.
Really good point and I suppose that would need solving, and would be helpful to have some form of top-down RDDS discovery tree that was more friendly to subspaces. Not trying to discuss the bootstrap for the RDDS so much, and that is a probem thirsty for a solution, but rather the objective of this issue was to add more accountability and reachability at the point closest to the problem space due to the affectation that a PSL entry has beyond just cookies, SSL and obvious ones. |
Recieved the following comment: What constitutes a Subdomain Registry?
|
This seems like perhaps a series of questions that would be good to capture at the intake when requests are being submitted, along with, at very minimum, a means to contact the administrator of the namespace(s) when there is abuse/phishing/pharming/malware etc other activity that requires prompt action. |
it seems to be a good idea, the issue is, owners of such lists have to educate a lot of parties how to identify the domain status, contact the party registering e.t.c., so having it in the list as WHOIS:_____ / RDAP:NONE or something like it is ok |
Adding Abuse contact or Abuse Form URL may be where we are heading for this |
I am going to leave this issue open but create another that is a call for comments on requiring abuse contacts being present in Pull Requests and later close the RDAP / WHOIS requirement as wontfix for now, as that seems heavier touch than should be expected for most submitters where an abuse contact seems very reasonable in contrast. |
@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template. |
I spent some time scrolling back through the comments and engagement on this topic. In summary, it seemed like the requestors that are intending to operate subdomain registries for third parties or 'domains for customers' are a subset of the PSL Pull Request population... there are other requestors as well... So, in thinking this through, I would like to propose we add a checkbox to the template that lets a requestor identify that they will be making their requested namespace available to third parties and that they will provide an abuse contact and/or whois/rdap link where appropriate, and then we introduce two additional (optional) comment lines for:
something to the effect of: and then some comment line syntax for their submission .dat file such as:
Because it is commented, it would be ignorable. Also, it might be the case that there would be different abuse/whois entries for a given namespace within a section, so it would likely be the case we'd need a description about how it should be interpreted. A thought here would be that these being present in the section header would be applicable to all things in that section, and then those entries above specific domains would be exceptions. Where it is not present in the section header, the entry above a domain would apply to that domain only. |
It might be worth adding the optional URL for the abuse reporting web-form (many think that contact web form might be a good replacement for an email).For the Whois / Rdap , at least one of those fields should be filled (some may have only whois, some only Rdap, some both), and a kind of test could be a good idea on the adding those (like of it is reachable at all and at least if it reports on the public domain itself with the required prescribed TXT string, for automation of the test).Also some kind of whitelisting for the email test should be recommended, like:'we are going to send a test email from ____@____.__, please ensure you whitelist it in advance and leave whitelisted for an emergency,and we expect an email back in 24 hours (auto reply fits too).'P.s: some guidance on the process for these fields with recommendations (related to anti abuse) needs to be added to FaQ of the editing fields on wiki too.Maxim21:11, June 18, 2024, Jothan Frakes ***@***.***>:
@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.
I spent some time scrolling back through the comments and engagement on this topic. In summary, it seemed like the requestors that are intending to operate subdomain registries for third parties or 'domains for customers' are a subset of the PSL Pull Request population... there are other requestors as well...
So, in thinking this through, I would like to propose we add a checkbox to the template that lets a requestor identify that they will be making their requested namespace available to third parties and that they will provide an abuse contact and/or whois/rdap link where appropriate, and then we introduce two additional (optional) comment lines for:
abuse contact email
rdap/whois server
something to the effect of:
[ ] I/we are making this request to provide partitioned namespace for third parties and will provide abuse contact and/or 'whois' server details in our submission
and then some comment line syntax for their submission .dat file such as:
// abuseContact: ***@***.***
// rdapLookup: [put the respective URI here]
pslentry.wookie.bar.meh
Because it is commented, it would be ignorable. Also, it might be the case that there would be different abuse/whois entries for a given namespace within a section, so it would likely be the case we'd need a description about how it should be interpreted. A thought here would be that these being present in the section header would be applicable to all things in that section, and then those entries above specific domains would be exceptions. Where it is not present in the section header, the entry above a domain would apply to that domain only.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
-- Sent from Yandex Mail for mobile
|
Can you give an example? Do you think that is a significant proportion? My assumption would be that people want cookies etc. separated because there is some amount of distrust between these parties and therefore, everyone should provide an abuse contact. |
I'm good with everyone providing an abuse contact - perhaps we update the template for this should we go that direction? |
There is a growing quantity of requests for subdomain eTLD+ with aspirations of offering segmented customer namespace.
Given that registries are increasing the wholesale price of domain names, and the registrars are passing these prices through to the registrant, low-cost options are becoming attractive for hosting providers in order to serve their customers.
Low-cost options help customers start their journey, but unfortunately are also an area that can get exploited for bad things.
Question for the community:
SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?
The text was updated successfully, but these errors were encountered: