Comment by Pxtl

Comment by Pxtl 4 days ago

6 replies

View on Hacker News

I disagree. DNS stores enough information in WHOIS to see if ownership has changed, it's not DNS' fault that nobody looks.

Probably the least-wrong thing to do with current DNS is to have authentication servers keep track of the WHOIS UpdatedDate of email domains. If a WHOIS UpdatedDate is newer than the corresponding user's linked email address verification, that user's email address is no longer trusted. Next time they log in ask them to update or re-confirm their email address, and if they try to password reset they can't use an unconfirmed email address.

Yes that's more tricky work. Authentication is hard. Nobody should be DIYing authentication anymore in this day and age, it's just too much.

niij 4 days ago

What does this protect against? If the WHOIS changes because someone new buys the domain then they could simply receive this reset emails, no?

Reply View 2 replies
  • Pxtl 4 days ago

    Yes, but the user had to go through the process of "wait do I still have that email address? Did I receive it?"

    Like, let's say I have an email address pxtl@example.net, and I used that to register an account on service.com, and example.net goes under.

    In theory I know that this event has occurred, I no longer have access to my email address at pxtl@example.net.

    So I log into my service.com account and get told "hey your email was pxtl@example.net - example.net has changed ownership. Is that still your email?" and I'll say "no" and put in a new email.

    Or maybe I don't realize that example.net is gone. So I try to verify the account, find that I'm not receiving the email, and realize my mistake and set up a new email account, and click the button that says "I did not receive the email". The authentication server can prevent this window of time being an attack vector by forcing a delay between email validation and password reset, and by de-validating the email address (and treating it as a red flag on the whole domain) if the user clicks "I did not receive the email" a few minutes after the email address has been verified.

    And if I forget my password and try to reset password on service.com using my unverified pxtl@example.net? "example.net had an ownership change since this email address was registered, please use another means to reset your password like SMS". Which is the main benefit of this process. Which I know doesn't require full verification.

    Now, obviously the WHOIS updateddate is a noisy signal. Ideally the DNS system would expose a more granular ownership-change date - for example, gmail.com lists a WHOIS updateddate of July 11th 2024. UpdatedDate isn't supposed to change with every renewal but lots of things aren't supposed to happen.

    Reply View 1 reply
    • Pxtl 4 days ago

      Following up on this: Apparently my knowledge is out-of-date.

      WHOIS has been superceded by RDAP, and RDAP provides event data for registration and re-registration. So even better!

      edit: it doesn't seem like registrars actually do re-registration, and many cctlds don't even use RDAP yet.

      Reply View 0 replies
mixdup 4 days ago

You can put whatever you want in WHOIS, including just replicating the information that was there previously. What if the WHOIS email is an email on the domain in question?

Maybe registrars could set a unique ID per registrant, and if a domain expires and is purchased by a different entity/account than the previous one the registrant GUID is refreshed. That could then be a signal that all previous reliance on the DNS of the domain name should be null and void

Reply View 1 reply
  • Pxtl 4 days ago

    This led me to go do a deeper dive.

    1) WHOIS has been partially replaced by RDAP although many ccTLDs don't support it yet (notably .au and .us for example). Spec for RDAP query results:

    https://datatracker.ietf.org/doc/rfc8977/

    2) RDAP does specify that the registration date should be of the last time registered - if a domain has lapsed and picked up by somebody else it's supposed to use the verb "reregistered". But of course, you're depending on the registrar to do that. It does look like "registered" is properly followed - I looked into some known cases of poached lapsed domains and checked their RDAPS and the registration date corresponds to the date the domain drop-caught but no past expiry or re-registration is listed (example[1]).

    3) Either way, don't use the content of the WHOIS/RDAP, just the dates.

    [1]https://www.adrforum.com/domaindecisions/1967817.htm

    Reply View 0 replies