Open Q / Discussion: SHOULD Subdomain Registries be providing RDAP/Whois to be included in PSL?

[dnsguru]

There is a growing quantity of requests for subdomain eTLD+ with aspirations of offering segmented customer namespace.

Given that registries are increasing the wholesale price of domain names, and the registrars are passing these prices through to the registrant, low-cost options are becoming attractive for hosting providers in order to serve their customers.

Low-cost options help customers start their journey, but unfortunately are also an area that can get exploited for bad things.

Question for the community: SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?

[dnsguru]

1612 as an example has indicated that their whole namespace was flagged by Google Safebrowsing - if this was triggered by a enough volume of perps underneath the submitted string that the string was blocked in chrome. What is not clear about this PR, as it has not been processed, is if the hop.sh namespace had been in the PSL, would Google have handled their blocking differently or at all.

Assuming that the action by Google affected legitimate users that were not phishing as a consequence of the parties that were phishing, It seems that as a tradeoff for partitioning the namespace to shelter the impacts is that there should be transparency into the perps directly.

[weppos]

SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?

How would this requirement "benefit" the PSL management process? From what I've read above, it sounds like the choice is based on some consumer-specific use-case, and we generally try to stay consumer neutral.

[gbxyz]

Some "off the top of my head" comments:

1. I don't see any point in requiring port-43 whois. RDAP should be fine and is simple enough to implement.
2. However, in the absence of multi-registrar Shared Registry System, and given that the GDPR must still be complied with, what would the RDAP records actually contain that would be useful to third party consumers?
3. This might help solve the problem of discovery of RDDS services for subdomain registries: IANA only accepts registrations of TLDs into the bootstrap registry, so (to use a real-world example I've had to deal with) the RDAP service for .ac.uk is not discoverable unless the .uk registry operator implements a redirect. The PSL could provide a "lookaside" bootstrap registry for SLDs, although that is yet another overloading of the function and purpose of the PSL.

[dnsguru]

Some "off the top of my head" comments:

Thanks, Gavin. As an author of RDAP stuff widely used, your comments are superappreciated...

1. I don't see any point in requiring port-43 whois. RDAP should be fine and is simple enough to implement.

Whois was left there as nomenclature because mostfolk don't recognize what RDAP is.

2. However, in the absence of multi-registrar Shared Registry System, and given that the GDPR must still be complied with, what would the RDAP records actually contain that would be useful to third party consumers?

This topic makes its own gravy, but at a high level it seems like at very least an abuse contact email or webform url that can be used to complain about or reach the subdomain operator.

3. This might help solve the problem of discovery of RDDS services for subdomain registries: IANA only accepts registrations of TLDs into the bootstrap registry, so (to use a real-world example I've had to deal with) the RDAP service for .ac.uk is not discoverable unless the .uk registry operator implements a redirect. The PSL could provide a "lookaside" bootstrap registry for SLDs, although that is yet another overloading of the function and purpose of the PSL.

Really good point and I suppose that would need solving, and would be helpful to have some form of top-down RDDS discovery tree that was more friendly to subspaces.

Not trying to discuss the bootstrap for the RDDS so much, and that is a probem thirsty for a solution, but rather the objective of this issue was to add more accountability and reachability at the point closest to the problem space due to the affectation that a PSL entry has beyond just cookies, SSL and obvious ones.

[dnsguru]

Recieved the following comment:

What constitutes a Subdomain Registry?

• Does it include registries of ccTLDs that operate on a third-level registration basis (.co.uk)
• Does it include registries that basically resell subdomains of domains they own/manage to registrars only?
• Does it include registries that reseller subdomains of domains they own/manage to end customers?
• Does it include hosting service providers who offer "free domains" (subdomains) to their hosting customers?
• Does it include Dynamic DNS providers who offer redirects under subdomains of their domains to their customers? (for example Synology under *.quickconnect.to).
• Does it include URL Shortening Services that use subdomains? (for example rb.gy)

[dnsguru]

This seems like perhaps a series of questions that would be good to capture at the intake when requests are being submitted, along with, at very minimum, a means to contact the administrator of the namespace(s) when there is abuse/phishing/pharming/malware etc other activity that requires prompt action.

[oldfrogger]

it seems to be a good idea, the issue is, owners of such lists have to educate a lot of parties how to identify the domain status, contact the party registering e.t.c., so having it in the list as WHOIS:_____ / RDAP:NONE or something like it is ok

[dnsguru]

Adding Abuse contact or Abuse Form URL may be where we are heading for this

[dnsguru]

I am going to leave this issue open but create another that is a call for comments on requiring abuse contacts being present in Pull Requests and later close the RDAP / WHOIS requirement as wontfix for now, as that seems heavier touch than should be expected for most submitters where an abuse contact seems very reasonable in contrast.

[simon-friedberger]

@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.

[dnsguru]

@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.

I spent some time scrolling back through the comments and engagement on this topic. In summary, it seemed like the requestors that are intending to operate subdomain registries for third parties or 'domains for customers' are a subset of the PSL Pull Request population... there are other requestors as well...

So, in thinking this through, I would like to propose we add a checkbox to the template that lets a requestor identify that they will be making their requested namespace available to third parties and that they will provide an abuse contact and/or whois/rdap link where appropriate, and then we introduce two additional (optional) comment lines for:

• abuse contact email
• rdap/whois server

something to the effect of: [ ] I/we are making this request to provide partitioned namespace for third parties and will provide abuse contact and/or 'whois' server details in our submission

and then some comment line syntax for their submission .dat file such as:

// abuseContact: foo@bar.meh
// rdapLookup: [put the respective URI here]
pslentry.wookie.bar.meh

Because it is commented, it would be ignorable. Also, it might be the case that there would be different abuse/whois entries for a given namespace within a section, so it would likely be the case we'd need a description about how it should be interpreted. A thought here would be that these being present in the section header would be applicable to all things in that section, and then those entries above specific domains would be exceptions. Where it is not present in the section header, the entry above a domain would apply to that domain only.

[oldfrogger]

It might be worth adding the optional URL for the abuse reporting web-form (many think that contact web form might be a good replacement for an email).For the Whois / Rdap , at least one of those fields should be filled (some may have only whois, some only Rdap, some both), and a kind of test could be a good idea on the adding those (like of it is reachable at all and at least if it reports on the public domain itself with the required prescribed TXT string, for automation of the test).Also some kind of whitelisting for the email test should be recommended, like:'we are going to send a test email from @.__, please ensure you whitelist it in advance and leave whitelisted for an emergency,and we expect an email back in 24 hours (auto reply fits too).'P.s: some guidance on the process for these fields with recommendations (related to anti abuse) needs to be added to FaQ of the editing fields on wiki too.Maxim21:11, June 18, 2024, Jothan Frakes @.***>:

@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.

I spent some time scrolling back through the comments and engagement on this topic. In summary, it seemed like the requestors that are intending to operate subdomain registries for third parties or 'domains for customers' are a subset of the PSL Pull Request population... there are other requestors as well... So, in thinking this through, I would like to propose we add a checkbox to the template that lets a requestor identify that they will be making their requested namespace available to third parties and that they will provide an abuse contact and/or whois/rdap link where appropriate, and then we introduce two additional (optional) comment lines for:

abuse contact email rdap/whois server

something to the effect of: [ ] I/we are making this request to provide partitioned namespace for third parties and will provide abuse contact and/or 'whois' server details in our submission and then some comment line syntax for their submission .dat file such as: // abuseContact: @.*** // rdapLookup: [put the respective URI here] pslentry.wookie.bar.meh

Because it is commented, it would be ignorable. Also, it might be the case that there would be different abuse/whois entries for a given namespace within a section, so it would likely be the case we'd need a description about how it should be interpreted. A thought here would be that these being present in the section header would be applicable to all things in that section, and then those entries above specific domains would be exceptions. Where it is not present in the section header, the entry above a domain would apply to that domain only.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***> -- Sent from Yandex Mail for mobile

[simon-friedberger]

@dnsguru Would this mean adding another e-mail to the PSL entries or something else? If it's just about the e-mail I could quickly add it to the PR template.

I spent some time scrolling back through the comments and engagement on this topic. In summary, it seemed like the requestors that are intending to operate subdomain registries for third parties or 'domains for customers' are a subset of the PSL Pull Request population... there are other requestors as well...

Can you give an example? Do you think that is a significant proportion? My assumption would be that people want cookies etc. separated because there is some amount of distrust between these parties and therefore, everyone should provide an abuse contact.