From: David Conran 
Sent: Friday, 8 June 2001 4:52 PM
To: jo.lim@auda.org.au
Subject: Submission for auDA public consultation report

auDA,

While working for AusCERT (Australian Computer Emergency Response Team), my 
experiences with tracking down and informing sites about security incidents 
that affect their site has given me cause to ensure that all reasonable steps 
are taken to store useful, current and correct information in the WHOIS 
information for all domains, be they .id.au or .gov.au.

Often, it is only the WHOIS information which is available to a 3rd party 
when trying to report a security incident to the relevant people within a 
domain.

I believe you need to include a contact entry primarily for security incidents 
in the WHOIS data as described in ATTACHMENT B 5.3. This is to help expedite 
and direct security related incident reports to go to the correct individuals 
within the domain or who are responsible for it. There seems to be to many 
wildly ad-hoc methods for currently achieving this and given the rarity and 
opt-in nature of the current practice, I believe it needs to be mandated such 
as described.

The email address provided should be checked and verified that it does exist 
and does work before accepting the creation of a new domain.

This and other contact details (principally the email addresses) should be 
regularly verified to keep them current.

Additionally and possibly separate to the above, other contact addresses 
should also be checked before accepting the domain, (if the domain is to 
accept email) that email to the RFC 2142 mandated/recommended addresses such 
as postmaster@ and abuse@ work correctly.

The SOA address record should also be checked to see if the email address 
decodes properly and also works before acceptance of a domain.

Domain holders should be made aware during the process of submitting the 
domain for creation that they will at times receive notices of a security 
nature to any/all of those addresses and that they may need to be passed 
on to the relevant people in a timely manner.

Additionally, and again potentially separate to the above, prior to approval 
for creation of a new domain, anti-spamming measures of the domain could be 
checked.

All of this is in-line with RFC-3013/BCP-46 which is the Best Current Practice 
for some of these matters.

David
-- 
 _--_|\  David Conran,                       
/      * XYZZY Technologies,                 
\_.--._/ 
      v  "Reach out and grep someone"        
Member, The System Administrators Guild of Australia - http://sage-au.org.au