:: [devuan-dev] Private WHOIS for Devu…
Top Page
Delete this message
Reply to this message
Author: Rick Moen
To: devuan-dev
Subject: [devuan-dev] Private WHOIS for Devuan Project domains
Hullo, Devuan Project leaders. You good people have a conference to
run, but whenever it's convenient to attend to this matter, it'll be

During early phases of the recent (very well done, IMO) April Fool's
prank, out of habit for situations where there's a possible security
compromise, I checked Devuan Project's domain registration for domains
devuan.org and dyne.org -- to check expiration dates and see who is
shown for Registrant, Tech Contact, and Admin Contact (in part to see if
key domains had expired or been hijacked). Results here:


The point: For both domains, public WHOIS has been severely redacted --
slightly differently for dyne.org (@gandi.net) vs. for devuan.org

First thing: Is this WHOIS redaction Devuan Project's intention?

I'm guessing probably 'no'. Lately, I've seen (many) signs of (many)
domain registrars taking public WHOIS information private, usually
without consulting the customers in question, as part of an
institutional response to the May 25, 2018 rollout of GDPR.

Jaromil posted on DNG today about 'Devuan's infra at OVH', and so I
gather that OVH is doubtless an excellent firm. However, as is visible
at the Pastebin link, OVH's current WHOIS for the devuan.org domain is
even more severely redacted than is Gandi.net's for dyne.org, omitting
public data about Tech Contact and Admin Contact entirely, and redacting
name, address, e-mail address, and telephone number for Registrant.
>From work today on other matters, by way of comparison, I know that

German registrar Joker.com does exactly the same redaction as a matter
of policy, claiming (https://joker.com/index.joker#gdpr) they are merely
implementing the ICANN Interim Proposal
on GDPR compliance. Despite that claim, if you read ICANN's proposal,
section says 'Registrars must provide registrants the
opportunity to opt-in to publication of full contact details in the
public WHOIS', which capability Joker.com is _not_ offering to

As it happens, I use for my personal domains another large German
registrar (1API Gmbh) via Wellington, NZ reseller IWantMyName.com. The
latter firm found that 1API Gmbh forcibly toggled all customers to
private WHOIS on GDPR grounds, but was able to get 1API Gmbh to toggle
my two domains public again upon request -- as per ICANN's
recommendation. Obviously, registrars differ in their policies on this

I don't yet know the answer to my above question (does Devuan Project
desire private registration?). If the answer is 'no', then it may
suffice to inquire with Devuan Project's registrars about amending the
WHOIS. If that doesn't suffice, I can strongly recommend at least two
meritorious EU-related registrars: 1API Gmbh (which I elect to use via
excellent retail reseller IWantMyName.com), and Gandi.net of Paris,
France. Both continue to support public WHOIS for those who want it.

In the event of Devuan Project being undecided on the policy question
about private vs. public: I strongly recommend public WHOIS with
genuine names, addresses, e-mail addresses, and telephone numbers
(absent a compelling reason to do otherwise), in order that 'Dude,
there's a problem with your domain' mails or telephone calls can reach
domain stakeholders.

I recommend at least some diversity among the public contacts
(Registrant, Tech Contact, Admin Contact) as to individuals' names and
the hosting and routing of e-mail, to avert SPoF problems, to ensure
that you can get 'Dude, your server is down' mails if your server
is down. and to ensure you can get 'Dude, your domain is broken' mails
reach you if your domain is broken.

Cheers,        There's no theorem like Bayes's Theorem, like no theorem we know.
Rick Moen      Everything about it is appealing, everything about it is a wow.
rick@linux     Let out all that a-priori feeling, you've been concealing,
mafia.com      right up to now.   -- G.E.P. Box (w/apologies to Irving Berlin)