Open Q / Discussion: SHOULD Subdomain Registries be providing RDAP/Whois to be included in PSL?

[dnsguru]

There is a growing quantity of requests for subdomain eTLD+ with aspirations of offering segmented customer namespace.

Given that registries are increasing the wholesale price of domain names, and the registrars are passing these prices through to the registrant, low-cost options are becoming attractive for hosting providers in order to serve their customers.

Low-cost options help customers start their journey, but unfortunately are also an area that can get exploited for bad things.

Question for the community:
SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?

[dnsguru]

#1612 as an example has indicated that their whole namespace was flagged by Google Safebrowsing - if this was triggered by a enough volume of perps underneath the submitted string that the string was blocked in chrome. What is not clear about this PR, as it has not been processed, is if the hop.sh namespace had been in the PSL, would Google have handled their blocking differently or at all.

Assuming that the action by Google affected legitimate users that were not phishing as a consequence of the parties that were phishing, It seems that as a tradeoff for partitioning the namespace to shelter the impacts is that there should be transparency into the perps directly.

[weppos]

SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?

How would this requirement "benefit" the PSL management process? From what I've read above, it sounds like the choice is based on some consumer-specific use-case, and we generally try to stay consumer neutral.

[gbxyz]

Some "off the top of my head" comments:

1. I don't see any point in requiring port-43 whois. RDAP should be fine and is simple enough to implement.
2. However, in the absence of multi-registrar Shared Registry System, and given that the GDPR must still be complied with, what would the RDAP records actually contain that would be useful to third party consumers?
3. This might help solve the problem of discovery of RDDS services for subdomain registries: IANA only accepts registrations of TLDs into the bootstrap registry, so (to use a real-world example I've had to deal with) the RDAP service for .ac.uk is not discoverable unless the .uk registry operator implements a redirect. The PSL could provide a "lookaside" bootstrap registry for SLDs, although that is yet another overloading of the function and purpose of the PSL.

[dnsguru]

Some "off the top of my head" comments:

Thanks, Gavin. As an author of RDAP stuff widely used, your comments are superappreciated...

1. I don't see any point in requiring port-43 whois. RDAP should be fine and is simple enough to implement.

Whois was left there as nomenclature because mostfolk don't recognize what RDAP is.

2. However, in the absence of multi-registrar Shared Registry System, and given that the GDPR must still be complied with, what would the RDAP records actually contain that would be useful to third party consumers?

This topic makes its own gravy, but at a high level it seems like at very least an abuse contact email or webform url that can be used to complain about or reach the subdomain operator.

3. This might help solve the problem of discovery of RDDS services for subdomain registries: IANA only accepts registrations of TLDs into the bootstrap registry, so (to use a real-world example I've had to deal with) the RDAP service for .ac.uk is not discoverable unless the .uk registry operator implements a redirect. The PSL could provide a "lookaside" bootstrap registry for SLDs, although that is yet another overloading of the function and purpose of the PSL.

Really good point and I suppose that would need solving, and would be helpful to have some form of top-down RDDS discovery tree that was more friendly to subspaces.

Not trying to discuss the bootstrap for the RDDS so much, and that is a probem thirsty for a solution, but rather the objective of this issue was to add more accountability and reachability at the point closest to the problem space due to the affectation that a PSL entry has beyond just cookies, SSL and obvious ones.

[dnsguru]

Recieved the following comment:

What constitutes a Subdomain Registry?

• Does it include registries of ccTLDs that operate on a third-level registration basis (.co.uk)
• Does it include registries that basically resell subdomains of domains they own/manage to registrars only?
• Does it include registries that reseller subdomains of domains they own/manage to end customers?
• Does it include hosting service providers who offer "free domains" (subdomains) to their hosting customers?
• Does it include Dynamic DNS providers who offer redirects under subdomains of their domains to their customers? (for example Synology under *.quickconnect.to).
• Does it include URL Shortening Services that use subdomains? (for example rb.gy)

[dnsguru]

This seems like perhaps a series of questions that would be good to capture at the intake when requests are being submitted, along with, at very minimum, a means to contact the administrator of the namespace(s) when there is abuse/phishing/pharming/malware etc other activity that requires prompt action.

[oldfrogger]

it seems to be a good idea, the issue is, owners of such lists have to educate a lot of parties how to identify the domain status, contact the party registering e.t.c., so having it in the list as WHOIS:_____ / RDAP:NONE or something like it is ok

[dnsguru]

Adding Abuse contact or Abuse Form URL may be where we are heading for this

[dnsguru]

I am going to leave this issue open but create another that is a call for comments on requiring abuse contacts being present in Pull Requests and later close the RDAP / WHOIS requirement as wontfix for now, as that seems heavier touch than should be expected for most submitters where an abuse contact seems very reasonable in contrast.