Re: [DNSOP] Proposal: Whois over DNS

[Brian Dickson <brian.peter.dickson@gmail.com>]

On Tue, Jul 9, 2019 at 2:01 PM John Bambenek <jcb=
40bambenekconsulting.com@dmarc.ietf.org> wrote:

> Below
>
> —
> John Bambenek
>
> On July 1st, 2019, my DGA feeds are converting to a CC-BY-NC-SA 4.0
> license which means commercial use will require a license. Contact
> sales@bambenekconsulting.com for details
>
> On Jul 9, 2019, at 15:51, Jim Reid <jim@rfc1035.com> wrote:
>
> >> On 9 Jul 2019, at 17:43, John Bambenek <jcb=
> 40bambenekconsulting.com@dmarc.ietf.org> wrote:
> >>
> >> I guess I'm not understanding the risks of people accidentally
> disclosing what they don't intend to.
> >
> > I suggest you learn more about GDPR. The penalties for non-compliance
> can hurt - up to 4% of global turnover.
> >
>
> No DPA is going to fine me for publishing my email on my dns zone. Not the
> use of only first person pronouns. No one is talking about anything a third
> party will do.



> Only what domain registrants may do if they so choose.
>

That is technically true, only in the cases where the registrant operates
their authoritative DNS server.

What is problematic, is if a registrant's data is published, where the
registrant uses a third party DNS hosting provider, and the registrant
makes a claim about that not being intentional. The starting point is a "he
said, she said" scenario where GDPR essentially reverses the presumption of
innocence on the data providers' part.

Protecting themselves against this kind of claim would require a
significant effort by DNS hosting providers, precisely because there would
be a liability issue.
The bar would probably be quite high, for proving that the publication was
done by the registrant, including some manner of proof regarding identity.
That is a hard problem.
For little to no perceived benefit, with a lot of development and support
(i.e. expense), I don't see this as likely to be taken up by DNS hosting
providers.

And without uptake by DNS hosting providers, there will not likely be any
significant uptake at all, IMHO. High relative risk, no reward.



>
> There is nothing in this I-D to require publishing anything. There is
> nothing in this I-D to require if someone publishes that its PII (can use
> role based accounts).
>

This line of argument resembles that of the NRA regarding gun use, in
promoting the interests of weapons manufacturers.
No offense intended, but maybe highlighting the real-world benefits rather
than minimizing the risks, would be a better approach.
I don't yet see any benefit for using DNS as the publication point,
particularly all the way down in the registrant's zones.

Brian


>
> Please read the I-D being proposed.
>
> The concern is that a standard structure of a DNS TXT record for WHOIS may
> inspire someone to “accidentally” publish their email in DNS, something
> they can coincidently do today because absolutely no new functionality is
> required to make this I-D happen.
>
> The only thing being proposed here is a standard format be which to put
> contact info (even role based contact info) into a DNS TXT record in a
> standard format.
>
> > Some CIOs are learning this the hard way. British Airways got fined
> $200M+ yesterday and Marriott’s been hit by a $100M+ fine today, both for
> data breaches which involved due diligence failures covered by GDPR.
>
> These are third parties managing someone else’s data.
> >
> > Anyone proposing policies or protocols that involve Personal Data really
> need to take account of the GDPR implications of their proposals and the
> likely impact on those who will be affected.
> >
> > Hey, what’s this got to do with dnsop? :-)
> >
>
> Because the I-D at hand is about DNS TXT records.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>