RIPE Database Search

By pressing the "Search" button you explicitly express your agreement with the RIPE Database Terms and Conditions.

Service Announcements
  • All of our services are operating normally.

Project to Maintain All Domain Objects in the RIPE Database

Archived This content has been archived and is no longer actively maintained.
  1. Introduction
  2. Securing the RIPE Database Data
  3. Maintaining the Domain Objects
  4. FAQs

Introduction

The RIPE Data Protection Task Force advised the RIPE NCC that all objects in the RIPE Database should be maintained. Maintaining Routing Policy Specification Language (RPSL) objects in the RIPE Database was optional for person, role and domain objects.

This was discussed at RIPE 54 and discussion continued on the Database Working Group (DB WG) mailing list. Consensus was reached in July 2007. This was confirmed in the DB WG at RIPE 55. A progress report was given to the DB WG at RIPE 56. The RIPE NCC has now implemented this for domain objects.

The RIPE NCC handled this as two separate issues:

  • maintaining person and role objects
  • maintaining domain objects

 

There were different technical and procedural reasons for distinguishing between the two groups of objects. This document describes the issues with maintaining domain objects.

Securing the RIPE Database Data

There were approximately 47,000 reverse and 1,100 forward domain objects unmaintained. If someone modified this data without the proper authority, it could disrupt the DNS reverse mapping. This was not a failure of the RIPE Database itself. The users who entered this data chose not to use the protection methods available within the RIPE Database. This has now been enforced on all users' data.

The RIPE NCC did not publicly announce that it was going to add maintainers to unmaintained domain objects before doing so. There was a possibility to exploit this data if any advance warning had been made. Unauthorised third parties could have acquired sole control over unmaintained domain objects by either altering or deleting them and/or by inserting themselves as maintainers. There were cases of individual objects being hijacked in the past. This could have led to deletion or alteration of DNS reverse mapping data, eventually resulting in denial of service or security breaches.

To mitigate this problem, the RIPE NCC discussed the situation with the Co-Chairs of the RIPE DNS Working Group. A consensus was reached that the RIPE NCC should apply the "most appropriate" mntner object(s) to each domain object. For objects where an appropriate mntner object could not be found, the domain objects were locked.

All the domain objects in the RIPE Database are now maintained and protected.

Maintaining the Domain Objects

There were issues concerning reverse and forward domain objects. Changes to the reverse domain objects could directly affect the contents of the DNS zone. Changes to forward domain objects in the RIPE Database would only affect the documentation and were unlikely to propagate into the DNS system itself.

Maintaining reverse domain objects

To create a reverse domain object, authorisation from the address space maintainer is needed. This was different in the past. The authorisation model has been tightened and improved over the years. Some of the domain objects that were unmaintained were created many years ago. Some of these did not need authorisation from the address space maintainer.

The consensus view was that the best way to maintain these objects now is to use the maintainer from the address space inet(6)num object. This is the authorisation that would be needed if the domain objects were created today,

However, this may not be the correct maintainer in all cases. There may be exceptions with some legacy space but this is the most appropriate maintainer for the majority of unmaintained domain objects. The end result is that all domain objects are now maintained. This restricts access to and control of these objects to people directly connected to these objects. This is a safer situation than was previously the case with unmaintained domain objects. The RIPE Database now prevents the DNS zone contents being changed by malicious (or accidental) changes to previously unmaintained domain objects. The RIPE NCC can resolve any RIPE Database issues that may arise if the wrong maintainer was chosen.

The RIPE NCC will notify all the maintainers of the address space whose mntner objects have been added to a domain object so that they can take this into consideration when applying any bulk changes to all their data in the RIPE Database.

All maintainers from these attributes of the inet(6)num object were selected:

  • "mnt-domains:"
  • "mnt-lower:"
  • "mnt-by:"

However, maintainers from the RIPE NCC were excluded from this process (for example RIPE-NCC-HM-PI-MNT). If the only maintainers found in this way for a specific domain object were RIPE NCC maintainers, that object was locked with the maintainer RIPE_NCC_LOCKED_MNT.

This approach was taken because the RIPE NCC has no direct relationship with whoever maintains these domain objects. A maintainer could not be auto-generated because the RIPE NCC would not know how to authenticate a claim to provide the password. As authorisation is required from the address space maintainer to create a reverse domain object, the consensus view was that the address space holder is better placed than the RIPE NCC to know who is responsible for the reverse domain objects.

Maintaining forward domain objects

There were a small number of forward domain objects where the Top-Level Domain (TLD) object was not maintained. For these, the RIPE NCC generated a maintainer and sent the password to the contacts for the TLD registry shown in the IANA country code domain registry list.

All the forward domain objects were grouped by the TLD. The maintainer(s) from the TLD object were applied to all the unmaintained forward domain objects for that TLD. Where no TLD object was found in the RIPE Database, any unmaintained domain objects for that TLD were locked with the maintainer RIPE_NCC_LOCKED_MNT.

FAQs

Why did I receive an email about maintaining domain objects?
You are listed as a contact for a domain object in the RIPE Database that was not maintained. If you believe you are not responsible for maintaining this domain object, please contact ripe-dbm _at_ ripe _dot_ netand reference this document.

Why did I receive an email about someone using my maintainer?
You are listed as a contact for an address space mntner object in the RIPE Database that has been added to a previously unmaintained reverse domain object related to your address space. If you believe you are not responsible for maintaining this domain object, please contact ripe-dbm _at_ ripe _dot_ net and reference this document.

Why were these domain objects changed without advance warning?
If a public statement was made before all the domain objects were maintained, there was the possibility to exploit this data (see above). We did not want to make announcements to the wrong people before they were all maintained.

My reverse domain object is now maintained by someone else. Who is it?
It was agreed to apply the same rules that would be effective if the object were created today. Creation of a domain object now requires authentication from the address space holder. So the maintainers from the related address space inet(6)num object were applied to the domain object.

How do I change my reverse domain object?
If you are the address space holder, you need to use the same authorisation that you use for changes to your inet(6)num object. If you are not the address space holder, you need to contact the maintainer of the address space. Point them to this document to explain what has happened and why. Discuss with them who should maintain the domain object. If it is agreed that it should be you, ask them to replace the maintainer on the domain object with your maintainer.

I don't have any business relationship with the new maintainer. What should I do?
Contact ripe-dbm _at_ ripe _dot_ net and reference this document. Explain your situation and we will work with you to resolve any difficulties.

I manage a forward domain object and now it is maintained by someone else. Who is it?
All forward domain objects that were not maintained are now maintained. If there is a TLD domain object in the RIPE Database, the maintainer taken from this object has been applied to all the other domain objects for this domain. The RIPE Database is not intended to be a forward domain repository. A concession was agreed many years ago that some small country code Top-Level Domain (ccTLD) registries could use the RIPE Database for their DNS provisioning. All forward domain objects for these TLDs should be under the control of the TLD registry, not the domain holder. If you have any questions about this, please contact the TLD registry directly.

A "remarks:" attribute says that my reverse domain object is locked. What does this mean?
Your domain object was not maintained. No suitable maintainer was found from the related address space to apply to this object. As all domain objects have to be maintained, the RIPE NCC had to lock the object. Please contact ripe-dbm _at_ ripe _dot_ netand reference this document. Explain your situation and we will work with you to resolve any difficulties.

A "remarks:" attribute says that my forward domain object is locked. What does this mean?
Your forward domain object was not maintained. There is no TLD object in the RIPE Database for this domain. The RIPE Database is not intended to be a forward domain repository. It is unclear why this forward domain object is in the RIPE Database. Please contact and reference this document. Explain your situation and we will work with you to resolve any difficulties.

How do I unlock my reverse domain object?
Please contact ripe-dbm _at_ ripe _dot_ net and reference this document. Explain your situation and we will work with you to resolve any difficulties.

How do I unlock my forward domain object?
Please contact ripe-dbm _at_ ripe _dot_ net and reference this document. Explain your situation and we will work with you to resolve any difficulties.

I am a TLD registry and can't create any forward domain objects. What changed?
Your TLD domain object in the RIPE Database was not maintained. A new maintainer has been generated and the password sent to the contacts taken from the IANA list. If you have not received them, please contact ripe-dbm _at_ ripe _dot_ net and reference this document. Explain your situation and we will work with you to resolve any difficulties.