New Nominet drop catching flaw revealed?

[Ben Thomas]

I agree wholeheartedly with you. I don't think a lottery system is a way forward.

 

[Murray]

I agree wholeheartedly with you. I don't think a lottery system is a way forward.

"Too long the U.K. namespace has been restricted to the coding competent, or those with money to invest in"

If no coding and no money (so not auction) what is left but a lottery?

 

[Siusaidh]

This is the UK's namespace. Something we should be proud of, for its values, its efficiency, its security. I don't have a problem with talent, skills, and hard work being rewarded - in fact I admire it.

I don't think the onus is on domain catchers to be little Lord Fontleroys, because I don't think you can expect that human nature will operate that way. We can't expect everyone to be selfless and noble and report gaps and flaws to Nominet at the earliest opportunity. Not everyone will. That's just reality.

Rather:

The *onus* is on Nominet to run a system that runs equally and fairly for all, and as a firm invested in cyber security, the onus is on them to ensure their systems are resilient, and that flaws cannot be gamed.

It seems frankly incredible that these flaws (if reports are correct, which it looks like they are) have been allowed to run unresolved over long periods of time. In the NHS, if I confront a problem outside my skillset, I don't just leave the patient to die: I call in a specialist to deal with the situation.

It is disappointing that flaws occur in a system that is part of our vital national infrastructure. That system resilience and security is Nominet's first absolute imperative, or else the government needs to call in their mandate to operate. However, random errors occur in all areas of life.

The real concern that disturbs me is if these flaws were flagged up, and month or months later the flaws have not been shut down. That would be astonishing neglect. It also means people gaming the system are harming and damaging many other Nominet members.

As a cyber security company - which is how Nominet claims to be diversifying - it is almost hard to believe that they have not been able to deal with flaws that have been flagged up. After all, what possible motive could they have for letting their own systems fall prey to chaotic circumvention? I'll leave that question for others to reflect on - because on the surface it doesn't make sense.

 

[super-whois]

What @Siusaidh said is spot on. I would expect a "world leading registry" to be proactive on security and prevention of gaming the system. What we see is certainly neglect.

 

[Siusaidh]

It certainly looks that way. I simply can't believe there aren't people in this country with the skills to address the called out flaw within 24-48 hours.

Now whether there is an answer for all this, I don't know, but it's been raised on the Nominet forum (on Thursday morning), asking Nominet to explain, and so far no reply.

 

[Ben Thomas]

Exactly. It is hard to believe. It’s almost as if they *wanted* it to be that way. If the moneys green, right?

 

[Siusaidh]

Well if that was the case Ben, then the Government would be right to remove the mandate to operate the namespace, and I would be the first to call for that. But I don't want to believe that, and I think a clear explanation is needed. People are owed that, and it's not some optional extra, because harm has been done. For vital UK infrastructure, accountability must always be required. Who are Nominet accountable to? GoDaddy? Namesco? No, of course not. They are accountable to their members collectively, and equally, and beyond that they are accountable to the nation and its representatives. This is not ice-pops or baked beans we are talking about. It's the UK's namespace, which almost the whole nation relies on - in education, in healthcare, in business, in communities, in recreation, in families. It has to be run on secure, resilient, and orderly systems, transparent, honest, fair. Or else someone else has to run it instead. Unless the UK namespace just becomes a jungle where anything goes, and big tech companies cash in, and accountability is by choice and not by compulsion, answers to concerns like these have to be provided.

So keep asking. Who pointed out the flaw? When? Were they correct? How long did it take for Nominet to respond? How long did it take for Nominet to act? How long had the flaw been existing before it was called out to Nominet? What technical problems prevented the flaw being dealt with sooner? Could those solutions have been outsourced? Are there protocols set in place when events like this happen? Will someone provide the answers?

I don't presuppose anything about this specific issue, but there are issues of culture and mindset that have been raised again and again, not only in the UK but elsewhere in the DNS-related industries, about openness and accountability, not least to the people for whom the namespace exists.

This is the start of a debate, and not the end of it. I personally think Nominet needs reform, and greater accountability and oversight.

 

[Siusaidh]

Also.

Can everyone feel assured that all flaws will have been corrected by the time over a million .uk domains drop in the first two weeks in September?

(Of course, that won't prevent the issue of multiple tags being used to game the system, as was strongly suspected in the Namesco mass-drops in January.)

 

[dropped.uk]

Is it not apparent that Nominet don't want to fix these issues, because the more issues there are with the DAC, the more complaints are made by Members, and the more reason to abolish it and introduce their auction route?

How do these flaws get into production? I find it hard to believe that they were accidentally introduced. What's their QA/test process that should have picked them up? Nominet consistently talk about technical load on their systems, but they're actively giving everyone extra allowance to cause more load, and doing nothing about it.

First off we had additional allowance by simply disconnecting and reconnecting to a rogue server in the pool. That was patched, then suddenly they've moved it to adding a new IP. It's like they want a flaw to exist so that there's something wrong with DAC, and an excuse to start releasing domains by other means.

 

[Jay Daley]

We seem to have Arthur Daley running it at the moment...

My nickname at school was indeed ‘Arthur’!

 

[pcourtney1]

it does seem that DAC is not fit for purpose anymore, surely it makes sense on all levels for nominet to move on, and improve the current system of domains expiring before it is too late, and the circus/fiasco that continues to plague the small drop catching companies ( mainly self employed) who are getting squeezed evey day by nominet's "head in sand" mentality

even when Denys presents them with the back story in black and white they run for cover !

 

[Siusaidh]

It's not a good look, when a company that claims to be breaking into the US cyber-security market cannot even protect the resilience and defences of its own systems.

You need to ask what's behind all that.

Is it just "laissez-faire attitude" and just couldn't care enough?

Is it deliberate as a pretext for radical change - 'the worse it gets, the greater the justification'?

Is it technical - an aging system requiring a rebuild or replacement? 'This takes time.'

Some flaws seem to have gone on for months. If the system has been circumvented, to the disadvantage of paying members, shouldn't that be first degree priority?

Is it lack of ability to handle the problem, in which case you need to outsource the task and find people who can sort it?

Has there been a pre-conceived agenda to abandon this whole status quo, so why bother mending something you're going to ditch?

Like I say, for all the shiny PR, and investment of registry money in Cyglass, this is not a good look. 'We can't even control out own set up, never mind anyone else's.'

 

[Siusaidh]

Also, bearing in mind the massive name drops of the next two weeks, are the doors still open, have the flaws been sorted?

Or are they now in the public domain for everyone to exploit?

 

[rob]

My nickname at school was indeed ‘Arthur’!

Had to check this thread was from 2020 not 2006!

 

[JMI]

Had to check this thread was from 2020 not 2006!

Agreed, lots of WP dev newbs who took up drop catching think they're discovering the best thing since sliced bread.

 

[webber]

it does seem that DAC is not fit for purpose anymore, surely it makes sense on all levels for nominet to move on, and improve the current system of domains expiring before it is too late, and the circus/fiasco that continues to plague the small drop catching companies ( mainly self employed) who are getting squeezed evey day by nominet's "head in sand" mentality

even when Denys presents them with the back story in black and white they run for cover !

Drop them all on Monday at 2pm, only once a week.
No need for DAC. Problem solved

 

[redbird]

My nickname at school was indeed ‘Arthur’!

I suspect only those of us of a certain age will know why

 

[pcourtney1]

Drop them all on Monday at 2pm, only once a week.
No need for DAC. Problem solved

I was thinking every day at 12 Midday, but Monday to Friday would also work, but yes - you and I are on the same page, get rid of DAC and then Nominet can move on ( in a transparent more honest fit for business way going forward to benefit all, not just the big guns)

It will never happen though, because there are some forces out there who do not want change !