Latest news of the domain name industry

Recent Posts

Zone file access is crap, security panel confirms

Kevin Murphy, June 20, 2017, 11:11:02 (UTC), Domain Policy

ICANN’s Centralized Zone Data Service has some serious shortcomings and needs an overhaul, according to the Security and Stability Advisory Committee.

The panel of DNS security experts has confirmed what CZDS subscribers, including your humble correspondent, have known since 2014 — the system had a major design flaw baked in from day one for no readily apparent reason.

CZDS is the centralized repository of gTLD zone files. It’s hosted by ICANN and aggregates zones from all 2012-round, and some older, gTLDs on a daily basis.

Signing up for it is fairly simple. You simply fill out your contact information, agree to the terms of service, select which zones you want and hit “submit”.

The purpose of the service is to allow researchers to receive zone files without having to enter into separate agreements with each of the 1,200+ gTLDs currently online.

The major problem, as subscribers know and SSAC has confirmed, is that the default subscription period is 90 days.

Unless the gTLD registry extends the period at its end and in its own discretion, each subscription ends after three months — cutting off access — and the subscriber must reapply.

Many of the larger registries exercise this option, but many — particularly dot-brands — do not.

The constant need to reapply and re-approve creates a recurring arse-ache for subscribers and, registry staff have told me, the registries themselves.

The approval process itself is highly unpredictable. Some of the major registries process requests within 24 hours — I’ve found Afilias is the fastest — but I’ve been waiting for approval for Valuetainment’s .voting since September 2016.

Some dot-brands even attempt to insert extra terms of service into the deal before approving requests, which defeats the entire purpose of having a centralized service in the first place.

Usually, a polite email to the person handling the requests can produce results. Other times, it’s necessary to report them to ICANN Compliance.

The SSAC has evidently interviewed many people who share my concerns, as well as looking at data from Compliance (where CZDS reliably generates the most complaints, wasting the time of Compliance staff).

This situation makes zone file access unreliable and subject to unnecessary interruptions. The missing data introduces “blind spots” in security coverage and research projects, and the reliability of software – such as security and analytics applications – that relies upon zone files is reduced. Lastly, the introduced inefficiency creates additional work for both registry operators and subscribers.

The SSAC has no idea why the need to reapply every 90 days was introduced, figuring it must have happened during implementation.

But it recommends that access agreements should automatically renew once they expire, eliminating the busywork of reapplying and closing the holes in researchers’ data sets.

As I’m not objective on this issue, I agree with that recommendation wholeheartedly.

I’m less keen on the SSAC’s recommendation that registries should be able to opt out of the auto-renewals on a per-subscriber basis. This will certainly be abused by the precious snowflake dot-brands that have already shown their reluctance to abide by their contractual obligations.

The SSAC report can be read here (pdf).

Tagged: , , ,

Comments (4)

  1. Calvin says:

    And adjusting the 90 day limit is non-obvious, just to make matters more interesting.

  2. The automatic 90 day renewal/reapplication thing was never a part of the ZFA working group recommendations. Someone who didn’t understand the damage it would do to the whole process changed the documentation. The ZFA group understood the problem of dealing with potentially hundreds or thousands of zones but someone (or more than one person) outside the ZFA group made a mess of things. With 1,200 zones, having to reapply for ZFA every 90 days for some of them takes time. Some registries are more clueful and set longer expiration limits and tend to update rapidly.

  3. zone files for all says:

    What about the awful file transfer process with the baffling requirement of customer software to download zones? And the naming of zones using numbers instead of, you know, their names.

    If only there was a standard way to transfer zones. One that all DNS software would support and is well understood.

  4. It would have been nice to have a simple FTP or SFTP solution but the CZDS seems a bit overengineered to cope with the whole expiry and authorisation frontend. There are some Python scripts for handling downloads and some of them can be modified to save as a date-zonefilename-time file name format.

    DNS software does support zone file transfer. The problem is that it may require authentication and IP based access. These are also live zone files with domain names being continually, in theory, added. The zonefiles are snapshots of the zone at a particular time.

Add Your Comment