:: Re: [devuan-dev] Private WHOIS for …
Inizio della pagina
Delete this message
Reply to this message
Autore: Rick Moen
Data:  
To: devuan-dev
Oggetto: Re: [devuan-dev] Private WHOIS for Devuan Project domains
Quoting Martin Steigerwald (martin@???):

> Hi Rick.


Friendly greetings, Martin.

I'd attempted to carefully avoid this discussion getting sidetracked
onto 'private WHOIS: good of bad?', as that was NOT the subject.
For that reason, to try to avoid that digression, I specifically said:
'Some people prefer using for their domains 'privacy proxy' or other
obscured WHOIS, for what I assume are good and compelling reasons.'
I had _hoped_ this and similar wording in my two posts would deter
someone wanting to post arguments for private WHOIS, but you've now
ventured into that digression nonetheless. Please indulge my _first_
changing the subject back, before addressing your digression.


My query was:

Is Devuan Project using private WHOIS deliberately, or at the
registrars' initiative? And what is the project's preferences
on that?

Having not heard a response from Devuan Project principal volunteers
(understandable given need to deal with the conference and related
matters), I waited and brought it up at today's weekly Jitsi
videoconference. Results:

1. Devuan Project, being a public institution, had deliberately published
real contact information in its domain's public WHOIS as a matter of policy.
2. The project's two registrars toggled WHOIS to private and greatly
redacted without notice or consultation.
3. The project was unaware of this change until I pointed it out.
4. The project will now investigate toggling WHOIS back to public.


IMO, this is a considerably more important matter than debating the
merits of public vs. private WHOIS. So, I'm glad to have helped and
glad that the project will be taking steps to re-implement its
preferences -- which was my goal irrespective of those preference.


Since that is now done (or at least handed off to Devuan Project
volunteers posssessing domain administration access), and you would like
to discuss private vs. public WHOIS, I _now_ have no objection.

> For what is worth my domain provider for sure has a mail address not
> using any of the domains. It does not use my own mail server what so
> ever, but a 3rd party provider. So I am pretty confident I'd receive
> such important communication.


Your domain (lichtvoll.de - ein schöner name) is registered at registrar
DENIC. DENIC is an example of a registrar having only a stub server
running on the standard 63/tcp / 63/udp WHOIS port, instead requiring
use a Web interface to WHOIS:

$ whois -h whois.denic.de lichtvoll.de
[...]
% The DENIC whois service on port 43 doesn't disclose any information
% concerning
% the domain holder, general request and abuse contact.
% This information can be obtained through use of our web-based whois service
% available at the DENIC website:
% http://www.denic.de/en/domains/whois-service/web-whois.html

The AJAX-oriented facility at that site returns for your domain, in part:

Information for establishing contact

General Request

You can use this contact point [RM: link to mailto:info@1nic.eu] to
submit general and technical requests concerning the domain.

Abuse Contact

You can use this contact point [RM: link to mailto:info@1nic.eu] to
submit enquiries and information about possible unlawful or improper
use of the domain.

So, this is not _your_ e-mail address, but rather a role mailbox at your
registrar that may, or may not, be usable for members of the public to
reach _you_ (the registrant = domain owner) for legitimate purposes.

As a reminder, the standard model for domain WHOIS involves four
domain-administration roles, three of which are public points of
contact. The three public contacts, for which names, mailing addreses,
telephone numbers, and e-mail mailboxes are given, are:

Registrant (domain owner)
Technical Contact
Administrative Contact

The fourth, normally not included in the published public WHOIS, is
Billing Contact.

So, with my domains, in the event domain stakeholders must be reached, I
can make sure _three_ people and their means of contact are listed, so
as to carefully avoid single point of failure on possibly crucial
communication -- not just from the public but also from the registrar
(e.g., renewals). Your registrar DENIC, in contrast, currently displays
no Registrant Name, no Technical Contact name, no Adminstrative Contact
name, and no addresses, telephone numbers, or e-mail addresses for any
of those stakeholders. Instead, it publishes a generic e-mailbox for
itself, and implies that it may or may not pass along public contact
efforts to one or more of the domain stakeholders. So, that creates a
giant and intentional single point of failure, as one thing that should
be noted.

The other obvious question is: If someone had a legitimate need to
contact the domain stakeholders, would this extremely indirect mechanism
work? That is, have you done some realistic tests?

If you're like other people who've claimed private WHOIS is exactly what
they need but that they could be reached if necessary, you've never
checked.

I've checked for some friends relying on private WHOIS, e.g., those
promoted as 'privacy proxy' services. In every case I'd tested, the
domain principals never received simulated urgent, legitimateattempts to
contact them. But perhaps your mileage will differ.[tm]


> However… I really do not see any need to share that mail address
> publicly.


Yes, you don't. I agree. ;->

And, if I added lichtvoll.de to my /usr/local/share/domains roster of
friends' domains checked every Sunday for pending expiration, I would
be unable to look up in the public WHOIS how to contact you and say
'Martin, I notice that lichvoll.de is now only five days away from
expiration, and just wanted to make sure you're aware of the need, so
you don't accidently lose the domain.' Of course, I could try to relay
that reminder via info@???, but would give about 100:1 betting odds
against that mail reaching you or any of your domain contacts.


> Also helps with probably spam mail for a mail account that I did not
> set up spam filtering myself.


Yes, some people still in 2019 think the tactic of hiding from spammers
works, and that it it's possible for an address to remain 'completely
unknown on the Internet' for significant periods of time in a world full
of MS-Windows users infecting themselves with malware. I don't argue
with them, as it's a futile discussion.


> But in an age where big companies like Google, Facebook, Microsoft,
> Apple and so on collect any data they can, I find it refreshing to be
> able to hide data like this.


I'll repeat what I said, since somehow you missed it the first time:

Some people prefer using for their domains 'privacy proxy' or other
obscured WHOIS, for what I assume are good and compelling reasons.
I'm not arguing, only citing drawbacks -- including the public's
inability to look them up and warn them their domains need renewal.

This time, would you do me the favour of not ignoring what I said?
Thank you.


> Of course, devuan is not just a little privately used domain. However, I
> really do not see any priority in changing any of this and clearly see
> the value of the protection.


I believe you, when you say you don't see the priority of re-implementing
Devuan Project's preference of public whois. That is obviously so.

However, as should have been obvious the first time, I was addressing my
query to Devuan Project's leadership. As it turns out, they _do_ see
the priority in re-implementing their deliberate choice that their
registrars have overridden without consultation or notice.


> For me no need to discuss any of this. Just wanted to express that there
> are different opinions on this matter.


Please explain this to me: How on _earth_ did you conclude that this point
required clarification, when I explicitly said exactly that?