[ARIN-consult] Community Consultation on CKN23-ARIN Now Open

Jason Schiller jschiller at google.com
Tue Mar 28 10:20:11 EDT 2017


I am comfortable with option 3 where the records are restored, but the POC
is not provided ARIN-Online access so long as there is a process by which a
resource holder can validate the chain of custody and fully vet their right
to use the resource without signing an RSA.

___Jason

On Wed, Mar 22, 2017 at 1:24 PM, ARIN <info at arin.net> wrote:

> There are thousands of instances of the ARIN Point of Contact (POC)
> handle “No, Contact Known” or CKN23-ARIN registered in the ARIN
> database, most of them associated with legacy resource records. ARIN
> would like the community to review the history of this situation and the
> proposed solution and provide us with their feedback.
>
> The creation and addition of this POC handle was due to a combination of
> factors.
>
>      * In 2002, a database conversion project was done at ARIN that
> created a new database structure and added a new record type
> (Organization ID) as well as new POC types (Admin, Tech, Abuse and NOC).
> When an Org ID didn’t have a clear POC that had been recently updated or
> vetted by ARIN staff, the original resource POC remained on the resource
> record only and no POCs were added to the Org record at all.
>      * In a later 2011 database conversion, reverse DNS delegation
> switched from per-net to per-zone. This created significant hijacking
> potential by allowing resource POCs to change their reverse delegation
> without first being verified by staff as legitimate.
>      * Also in 2011, ARIN added a new business rule that required an Admin
> and a Tech POC on all Org records as a way of enhancing data quality.
>      * Policy 2010-14 was implemented in 2011 and required Abuse POCs on
> all Org records.
>
> In order to maintain ARIN’s business rules, comply with policy 2010-14,
> and prevent hijackings, several actions were initiated by staff:
>
>      * CKN23-ARIN was created to become the Admin and Tech POC on Orgs
> that lacked them
>      * Resource POCs of legacy networks that had never been updated or
> validated by ARIN were moved to the Organization record as the Abuse POC
>      * ARIN’s verification and vetting requirements were thus reinstated
> as the Abuse POC had to be vetted before making any changes to the
> record, and therefore could not hijack the resource by adding or
> changing the nameservers
>
> Over time, the above actions have created several issues:
>
>      * It is easy for hijackers to identify and target records with CKN23
> (no contact known) as the handle
>      * POCs that were moved from resource tech to Org abuse are not happy
> about no longer having control of their resource record
>
> There are several different courses of action that ARIN could take to
> resolve the current situation.
>
> Option 1
>
> Retain the current status and do nothing
>
> Option 2
>
> Restore the resource POCs back to their original state on the
> resource record keeping in mind that this would open up the hijacking
> risk by giving the original resource POC control of the network without
> a verification process
>       * Retain the Abuse POC on the Org record
>       * Retain CKN23-ARIN as Org POC
>
> Option 3 - **Recommended option**
>
> Restore the resource POC back to their original state on the
> resource record.   This will allow contacts historically associated with
> a resource record to more readily administer that record going forward.
>       * Retain the Abuse POC on the Org
>       * Replace CKN23-ARIN with a handle that better explains the record’s
> status (e.g. “Legacy Record – See Resource POC”)
>       * Lock all resources associated with these legacy records who have
> had their resource POC restored. This would ensure that any changes made
> by the resource POC would first have to be reviewed by ARIN.
>
> We would like to thank the ARIN Services Working Group (WG) for their
> helpful review of the proposed change – while the ARIN Services WG did
> not take a formal position in support of or in opposition of the
> proposed change, their review led to improvements in presentation of the
> options
>
> We are seeking community feedback on this proposed change (Option #3) to
> the ARIN Registry database.
>
> This consultation will remain open for 60 days - Please provide comments
> to arin-consult at arin.net.
>
> Discussion on arin-consult at arin.net will close on 22 May 2017.
>
> If you have any questions, please contact us at info at arin.net.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.




-- 
_______________________________________________________
Jason Schiller|NetOps|jschiller at google.com|571-266-0006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20170328/c05f1365/attachment.html>


More information about the ARIN-consult mailing list