Opened 3 years ago

Last modified 11 months ago

#3638 assigned Bug/Something is broken

AAAA glue record for a.ns.mayfirst.org

Reported by: https://id.mayfirst.org/dkg Owned by: https://id.mayfirst.org/dkg
Priority: High Component: Tech
Keywords: glue dns ipv6 dotster registrar Cc:
Sensitive: no

Description

anyone trying to resolve DNS records within the mayfirst.org domain will currently learn that a.ns.mayfirst.org and b.ns.mayfirst.org are the nameservers.

the nameservers for the .org zone supply this information, but they also need to supply so-called "glue" records (the A records that point these names to specific IP addresses) or else the attempt at resolution would go into a loop ("how do you find the machine named a.ns.mayfirst.org? ask a.ns.mayfirst.org!").

For IPv6-only clients, if the glue records are only A records, they won't be able to reach the host. Now that viewsic is answering DNS queries on IPv6, we need AAAA glue records.

Adding glue records to the .org nameservers probably needs to be handled through our DNS registrar, which appears to be dotster.

Ideally, i'd like to add just one AAAA glue record:

a.ns.mayfirst.org IN AAAA 2001:470:1:116::3

This AAAA glue record should *not* overwrite the existing a.ns.mayfirst.org A glue record. If dotster won't accept AAAA and A glue records for the same name, we will need to think of some other approach.

Change History (24)

comment:1 Changed 3 years ago by https://id.mayfirst.org/dkg

  • Owner changed from https://id.mayfirst.org/jamie to https://id.mayfirst.org/dkg
  • Status changed from new to assigned

I'm going to go ahead and try to do this via dotster now.

comment:2 Changed 3 years ago by https://id.mayfirst.org/dkg

  • Keywords dotster added

hrm. i see no way to do this via dotster's web interface.

I just wrote them the following help request:

hello dotster folks--

We're looking to set up an AAAA glue records for
a.ns.mayfirst.org (a delegation injected into the org
zone by you on behalf of the mayfirst.org domain, for
which you are the registrar).

however, the only place i can find in your "account
management" control panel to set up glue records appears
to be "name server registration" [0], which looks like
it only accepts dotted-quad-style IPv4 addresses
(presumably to make an A glue record, not an AAAA glue
record).

We'd like an AAAA glue record for a.ns.mayfirst.org that
resolves to 2001:470:1:116::3 . Note also that we do *not*
want to get rid of the A glue record for the same name.
How can we do this?

Regards,

    --dkg

[0] https://secure.dotster.com/account/nameserver/registerns.php?domain=MAYFIRST.ORG

comment:3 Changed 3 years ago by https://id.mayfirst.org/dkg

dotster replies:

---------------------------------------------------------------
Response (Sean E.) - 11/17/2010 08:36 PM
Thank you for contacting Customer Care,

Our DNS does not currently support IPV6 records. You may want to look in to
www.zoneedit.com which offers a more robust set of DNS options. 

Regards,
Customer Care

It's unclear from this response if they are even aware that i'm not asking about glue records, not about using their DNS service :(

I've blogged about the question, but haven't gotten many leads yet.

One person who saw the blog mentioned to me privately that GKG allows setting of both A and AAAA glue records to domains in the .org zone, though, including A and AAAA records for the same labels. I know nothing about GKG, though, or how they function politically as a registrar.

Shall we try moving the mayfirst.org to GKG as a registrar to complete this process?

comment:4 Changed 3 years ago by https://id.mayfirst.org/jamie

I've found some generally positive reviews of gkg (here and here). Another interesting thread includes a poster complaining about having his domain name suspended than charged $100 to investigate whether he provided accurate contact information. That thread also includes an interesting mention of how gkg supposedly supports dnssec (I know... a different issue), but has not fully implemented it.

I realize that another criteria is US-based (gkg is US based) - that gives us easier access to legal recourse if our domain name is pulled than if we were using a registrar outside of the US.

Maybe we should give this another day or so and see if we get other responses? I agree, we do need to move off of Dotster - however, I want to make sure we don't move somewhere that will cause other problems down the road.

jamie

comment:5 follow-up: Changed 3 years ago by https://id.mayfirst.org/dkg

ugh, yeah the domain name suspension is worrisome. I also heard (from the same person who told me about their AAAA glue in the first place) that they do the usual extortionist tactics if you miss a domain expiration (though i don't know that this sets them apart from any other registrar at this point.

My blog post raised some other suggestions -- i'm looking into joker right now, though it's Germany-based, i think. I'm curious about how you see the legal situation, especially since the org zone itself is served by an Irish company. any potential conflict would be a sticky multi-jurisdictional issue, to be sure.

comment:6 in reply to: ↑ 5 Changed 3 years ago by https://id.mayfirst.org/dkg

  • Keywords registrar added

Replying to https://id.mayfirst.org/dkg:

ugh, yeah the domain name suspension is worrisome. I also heard (from the same person who told me about their AAAA glue in the first place) that they do the usual extortionist tactics if you miss a domain expiration (though i don't know that this sets them apart from any other registrar at this point.

In this comment, "they" refers to GKG, in case it wasn't clear.

comment:7 follow-up: Changed 3 years ago by https://id.mayfirst.org/jamie

Our real-life experience with the country jurisdiction came in the context of joker (I thought it was swiss, but could be wrong). joker got a complaint about a members' domain and turned off the domain. The member's (US) legal representative said they couldn't do anything because they don't know swiss law. They suggested moving the domain to a US-based registrar so if the new registrar did the same thing they could send them a letter referencing US law.

I've never heard of a case in which PIR turned off a domain (I haven't really looked either). Seems like the registrar is a more common target.

And, the initial take down seems to have very little to do with the law. The idea that a company or government in one country would have to go through more steps to get a web site or domain taken down in another country only applies if the company refuses the initial request, which seems sadly rare.

jamie

comment:8 in reply to: ↑ 7 Changed 3 years ago by https://id.mayfirst.org/dkg

Replying to https://id.mayfirst.org/jamie:

Our real-life experience with the country jurisdiction came in the context of joker (I thought it was swiss, but could be wrong). joker got a complaint about a members' domain and turned off the domain. The member's (US) legal representative said they couldn't do anything because they don't know swiss law. They suggested moving the domain to a US-based registrar so if the new registrar did the same thing they could send them a letter referencing US law.

ugh, that's no good. if you're sure it was swiss, are you sure it was joker?

I've never heard of a case in which PIR turned off a domain (I haven't really looked either). Seems like the registrar is a more common target.

what is "PIR" ? Are you talking about the Public Interest Registry?

It seems like legal (or other) threats to a web site on a .org domain could be made to a range of parties:

  • ICANN itself
  • PIR
  • afilias (they handle technical operations of the .org zone)
  • the registrar
  • the name server operator
  • the web server operator

MF/PL has the last two layers covered. But becoming a registrar ourselves seems financially excessive, not to mention bureaucratically tedious. And we'd still be leaving our members open to attacks via the first three layers. So do we know of a registrar that is willing to fight for its registrants?

fwiw, Joker's ToS seems to pay lip service to ICANN's Uniform Domain Name Dispute Resolution Policy (URDP), which presumably every registrar hooked into the ICANN-controlled root zone needs to operate by. If Joker's past actions violated the URDP, maybe that would be leverage to get them to not do it again in the future?

And, the initial take down seems to have very little to do with the law. The idea that a company or government in one country would have to go through more steps to get a web site or domain taken down in another country only applies if the company refuses the initial request, which seems sadly rare.

yeah, the question seems to be if we can find participants in this chain who have some backbone. :/ Any history with dotster in that regard?

comment:9 Changed 3 years ago by https://id.mayfirst.org/jamie

By PIR - I was refering to Public Interest Registry. I've never heard of take downs coming at the ICANN, PIR or afilias level - but I'd be interested to know about any.

Yeah - the register in question was joker for sure (it was the Yes Men - they couldn't resist). I'm probably wrong about the country - all I remember is that it wasn't the US.

I agree that becoming a registrar is too much - I wish it wasn't so (or that some other group of politically-minded people would tackle the financial and bureaucratic hurdles). Becoming a registrar doesn't seem in the cards for MFPL at this time.

I don't have any knowledge of registrars with backbones, nor any experience positive or negative with dotster in that regard. Without prior knowledge to suggest otherwise, I would expect all registrars to cave without a fight :(.

jamie

comment:10 Changed 3 years ago by https://id.mayfirst.org/alfredo

We are exposed at the registrar level for sure. None will stand up to a real corporate legal threat.

But the only threats are not to domain through registrar and that's the problem. You also have the threat to service itself which then includes the upstream provider and none of those are very good on this issue. Hurricane Electric, our upstream provider, has been extremely weak in almost every sense.

Still, I understand the nature of the DNS issue and would love to work on developing a progressive registrar. It's time-consuming and exhausting but those things don't apply as much when you're doing something the gives political and organizational benefit. Then it's merely an investment of time and effort that might be worth it.

If we were to make DNS a political priority for Internet activist organizations, organization some kind of convergence, build an "implementation committee" and then try and launch a registrar as a kind of coalition effort...I think the work put into that might yield some positives that might be worth it.

I mean, this might be the thing we've been looking for to bring together all these Internet activism groups.

comment:11 Changed 3 years ago by https://id.mayfirst.org/dkg

Out of historical curiosity: did the Yes Men try to pursue the matter with Joker through the URDP?

i'm not sure that the time, money, and energy to build a coalition registrar would be worth the payoff, since it'd still be subject to the other levels of the hierarchy. I'd rather research (and build?) ways to supplant DNS in a decentralized way at some technical level, if i was going to invest that kind of energy in a project like this. But that might just be me; i certainly wouldn't block any sort of coalition looking to organize around the issue.

comment:12 Changed 3 years ago by https://id.mayfirst.org/alfredo

I think you, Daniel, may be right about what to do: especially if we can relieve ourselves of the "hierarchy burden" you refer to. But I also think it's important to do these things as coalitions when and if possible. I would like to get away from the "brilliant idea" approach in which a few people (or a person) start working on something on their own and *then* it's discussed publicly and picked up by people and organizations. If it were possible to actually have a discussion among these organizations of what's needed and so kind of coordinated approach to it I think the benefits would be multiple.

comment:13 Changed 3 years ago by https://id.mayfirst.org/dkg

Certainly; i wouldn't consider researching or constructing a decentralized answer to DNS without taking part in a conversation with other interested parties. Even aside from the political reasons for coalition-building, reasonable network protocols simply don't get built in isolation; they're network protocols. This doesn't mean people shouldn't try to implement their own flavor of things while discussions are taking place, though. Real-world implementations provide practical feedback to a discussion that is pretty much impossible to get any other way.

If we were going to try to push for wider distributed naming, I'd probably start with something like wide-area Multicast DNS (which already has a substantial userbase and community on the LAN) with some approach to filter out bogus replies or highlight particularly trustworthy replies. Some kind of distributed naming discussion is apparently already happening within the freedom box project, from what i've heard. Maybe that's the place to take the discussion about the future of non-hierarchical name resolution?

in the meantime, we still need to resolve this ticket by figuring out how to handle AAAA glue records for mayfirst's nameservers :/ I'm in the middle of completing a domain transfer to joker.com so i can check out what they actually offer and give feedback here about it.

Also, i'm still curious about the answer to this question:

Out of historical curiosity: did the Yes Men try to pursue the matter with Joker through the URDP?

comment:14 Changed 3 years ago by https://id.mayfirst.org/alfredo

As I far as I remember, they didn't "pursue" the Joker thing very much at all. I think they just got hit and turned to us to rescue. But Jamie's memory will be more accurate on this so I'll bow to him on it.

I agree that we need to pay attention to the practical issue we're dealing with. Absolutely.

The point I'm making, briefly, is that maybe we should take on this tech issue with a more organized kind of discussion or at least have a group of organizations we're talking with to let them know how things are going. I've a feeling that these tech challenges are a way of organizing relationships (and starting some) that we, as an organization, haven't pursued in that way as well as we should have. That is, as you know, part of my responsibility and I just don't feel I've done a very good job there.

So I'm thinking and you, as usual, are helping me think. For which I thank you. :-)

comment:15 Changed 3 years ago by https://id.mayfirst.org/jamie

I think that joker froze the account completely (no changes to the DNS records allowed and no ability to transfer it to another registrar). Then, they allowed the domain to be transferred to another registrar and it was immediately. I'm not sure what the Yes Men did (if anything) to make this change happen, however, I'm fairly sure it did not involved anything as formal as invoking the UDRP.

jamie

comment:16 Changed 3 years ago by https://id.mayfirst.org/dkg

it was transferred to a new registrar under the yes men's control? or under someone else's control?

comment:17 Changed 3 years ago by https://id.mayfirst.org/jamie

Under the Yes Men's control.

Also - I found a blog post about the whole affair, which can provide general back ground, but sadly I didn't discuss this particular of legal jurisdiction and registrars in the post.

jamie

comment:18 Changed 3 years ago by https://id.mayfirst.org/dkg

fwiw, as of november 23rd, gandi now supports AAAA glue records alongside A glue records with the same name. I just tested this with a different domain i have registered through gandi, and it works fine. The glue record data entry is a textarea, and you just enter one address per line, either IPv4 (in dotted-quad) or IPv6 (in colon-delimited form). I'd like to think that my nagging their support on the 17th coaxed them to put this into their control panel upgrade on the 23rd, but that seems like a pretty tight turnaround.

Anyway, if we want to move mayfirst.org to gandi, we would have the ability to set up AAAA glue records.

comment:19 Changed 3 years ago by https://id.mayfirst.org/jamie

The only argument I can think of for not moving to Gandi is that it limits our legal representation choices if our registrar were to pull our domain name. I'm inclined to say let's move it anyway because of the advantages in terms of IPv6 and potential for dnssec that seems to be on its way. I'd prefer a US-based registrar that was reliable and had the same capability, however, I'm not sure it exists.

Alfredo - thoughts?

jamie

comment:20 Changed 3 years ago by https://id.mayfirst.org/jamie

dkg and I have found a US-based registrar that both supports ipv6 glues records and dnssec to boot. It's dyndns.

I've just transferred my personal domain (workingdirectory.net).

Once that's moved we'll investigate the UI and make a recommendation on whether we think we should move mayfirst.org.

A brief web search turns up nothing atrocious - any one with bad experiences with Dyndns please let us know.
jamie

comment:21 Changed 3 years ago by https://id.mayfirst.org/dkg

(as an aside, but related to the DNS hierarchy: IODNS and dot-p2p are two recent proposals to try to decentralize DNS)

comment:22 Changed 12 months ago by https://id.mayfirst.org/dkg

  • Owner changed from https://id.mayfirst.org/dkg to https://id.mayfirst.org/jamie

Looks like this mayfirst.org is still registered via dotster. in comment:20, jamie suggested that he would consider transferring mayfirst.org after having some experience with dnydns for workingdirectory.net.

I'm transferring this ticket back to jamie in the hopes that he can make this change after assessing his two years of work with dyndns. Jamie, if you're ok with dyndns, and you want me to do the move, just reassign the ticket to me and i'll try to figure out the credentials.

comment:23 Changed 12 months ago by https://id.mayfirst.org/jamie

  • Owner changed from https://id.mayfirst.org/jamie to https://id.mayfirst.org/dkg

Thanks for pushing this along. I have had no problems with dyndns and recommend we move to them.

The password is in keyringer so you should be able to make the switch.

comment:24 Changed 11 months ago by https://id.mayfirst.org/dkg

  • Priority changed from Medium to High

moving this into an urgency range where i can remember to keep on top of it.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.