Hacker News new | past | comments | ask | show | jobs | submit login

Meh the owners of the domains gave up control by pointing to someone else's nameservers.



You've just condemned 99% of domains. You really think that's reasonable?


I do think it's reasonable.

If the domain is added to the account there is no PoC, it's only for domains that have been removed from accounts but still have the nameserver values(meaning the domain is not being used at this point, there's no zone file if it isn't added to an account).

So this is mostly only going to affect currently derelict domains. I'm not saying it isn't something to worry about, but I do think it's a reasonable solution.


What you just described as reasonable is not the scenario I asked about, which is just "pointing to someone else's nameservers".


If I buy a domain from a registrar, I can point the registrar at Digital Ocean's nameservers (or AWS, CloudFlare, etc) for my domain (by adding NS records at the registrar). Then I need to go to Digital Ocean and add my domain and records to their nameservers (via their control panel or api).

If I remove my domain from Digital Ocean, it's my responsibility to then go to the registrar and point the registrar away from DigitalOcean's nameservers. (I own the domain, so I'm the only one the registrar allows to do this. Digital Ocean cannot do this.)

Now, your suggestion is that Digital Ocean goes and verifies that I'm the one who owns that domain. But how would they do this (legitimate question)? I imagine manual verification of ownership of every domain upon creation isn't feasible for their scale. Digital Ocean could query DNS, and see NS records pointing to Digital Ocean, but this only tells them someone configured the nameservers for that domain - it doesn't imply ownership. Digital Ocean can check Whois for the owner of the domain. Checking Whois might work for many cases, but at least some registrars have the option of obscuring Whois data.

It seems simpler to put the onus of security on the owner of the domain. I should cleanup my registrar's NS records before removing my domain from Digital Ocean to ensure nobody hijacks it. I would be satisfied as long as Digital Ocean maintained a simple eviction policy (I don't know if they do) as a way for legitimate owners to add their domains to Digital Ocean's nameservers.


Huh? 99% of domains point to some nameserver they aren't contracting service? That is, 99% have invalid NS?

(Obviously when I say somebody else's NS I mean a NS they have zero reason to think would respond with correct records. Obviously not talking about outsourcing DNS hosting.)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: