discuss: Thread: who is responsible for the tldp.org domain name

the whois info still gives Guilhem Aznar as owner of the tldp.org
domain name

we have several sub-domain (for example Brazil - br.tldp.org) that
need update.

who have the login info to do so? I can do (ldp registrar, gandi, is
also mine, so I know the procedure).

on the mean time, who is paying the bill?

thanks
jdd
-- 
jdd for the Linux Documentation Project
http://wiki.tldp.org
http://www.dodin.net

Quoting Jean-Daniel Dodin ####@####.####

> the whois info still gives Guilhem Aznar as owner of the tldp.org
> domain name

Well, in a way, yes -- in a way, no:

  Registrant ID:0-559477-Gandi
  Registrant Name:TLDP - The Linux Documentation Project
  Registrant Organization:TLDP - The Linux Documentation Project
  Registrant Street1:c/o Metalab-iBiblio, The University of North Carolina, 213 M
  Registrant Street2:
  Registrant Street3:
  Registrant City:Chapel Hill
  Registrant State/Province:North Carolina
  Registrant Postal Code:27599-3456
  Registrant Country:US
  Registrant Phone:+1.9199625646
  Registrant Phone Ext.:
  Registrant FAX:
  Registrant FAX Ext.:
  Registrant ####@####.####

That is, in a formal sense, the domain owner is "TLDP, c/o Metalab".
If there were ever a dispute about ultimate control of the domain, the
registrar (Gandi) would look to the (alleged) organisation's
documentation to resolve it.  The PDF form to handle domain transfers
(in case nobody's either able to do so via the Web interface, or not
permitted to do so) is at
http://www.gandi.net/static/docs/en/change_owner.pdf , and includes:

   FORMER OWNER

   I, the undersigned, hereby transfer the ownership of the 
   aforementioned domains  to the  individual  (or organization) 
   indicated above.

   I enclose proof of ownership to this letter, that  matches 
   the owner name, exactly as it appears in the whois: 
   
   o  a copy of the domain owner's signed proof of identity 
      (passport, identity card, driver license, etc...). 

   o  if relevant, proof that the company on behalf of which 
      I act exists, and that I am authorized to act in this 
      capacity. This document must be a certified legal 
      document that contains both the name of the 
      organization and my name as a signing officer (C.E.O.,
      President, Executive Director, etc...). 

So, in such a situation, someone would need to sit down and create some
LDP letterhead paper with a University of North Carolina postal address,
type up and sign a letter purporting to speak as the president/whatever
of LDP, and go visit a notary public and get it attested to as having 
been signed by you, before sending it.  (Gandi.net really just want to 
be able to show "due diligence", if they are ever sued over a wrongful
ownership transfer or such.)

However, _normally_, domain control is available via the Web
interface to whomever the Registrant (domain owner) issues the "Access
Codes" (handles and passwords) corresponding to the Registrant,
Administrative Contact, Technical Contact, and Billing Contact roles.
Some of those contacts have more authority than others; Registrant has
the most.  See:  
https://www.gandi.net/static/contracts/en/g1/pdf/general_conditions_2.0.pdf

> we have several sub-domain (for example Brazil - br.tldp.org) that
> need update.

That has nothing to do with the domain ownership:  It's controlled in
the DNS.  The DNS is published by two nameservers at UNC.

> who have the login info to do so? I can do (ldp registrar, gandi, is
> also mine, so I know the procedure).

Good question.  That would be whoever was given the relevant Gandi.net
"Access Code" tokens.

> on the mean time, who is paying the bill?

I would speculate, Guylhem.

I note two things:  
1.  Current domain bill is paid through 2012.  (Good.  Someone's
thinking properly!)
2.  Gandi.net permit anyone to submit renewal money for a domain hosted
through them.  (https://www.gandi.net/domain/renew/contact/)  Not all
registrars have this advantage.  Gandi.net is one of the good ones.

-- 
Cheers,                "I'm sorry Dan, what's right isn't always popular, 
Rick Moen              and what's popular isn't always right."
####@####.####                     -- George R. Moscone, Nov. 27, 1978

I wrote:

> > we have several sub-domain (for example Brazil - br.tldp.org) that
> > need update.
> 
> That has nothing to do with the domain ownership:  It's controlled in
> the DNS.  The DNS is published by two nameservers at UNC.

In theory, you are _supposed_ to be able to find out who's administering
a domain's DNS zonefile via its public SOA (Start of Authority) record
-- but this works only if the DNS administrator actually bothers to be
correct and informative in that record.  So, for example, the top of the
zonefile for domain linuxmafia.com is like this:


$TTL 86400
$ORIGIN linuxmafia.COM.  
@       IN      SOA     ns1.linuxmafia.COM.  rick.deirdre.NET. (
                        2007102400              ; serial
                        7200                    ; refresh 2 hours
                        3600                    ; retry 1 hour
                        2419200                 ; expire 28 days
                        10800                   ; negative TTL 3 hours
                        )               
;
                IN      NS      ns1.linuxmafia.com.
                IN      NS      ns2.linuxmafia.com.
                IN      NS      ns1.thecoop.net.
                IN      NS      ns.primate.net.
                IN      NS      ns.tx.primate.net.
                IN      A       198.144.195.186
                IN      MX      10      linuxmafia.COM.
                IN      HINFO   P3/500          Linux-v.2.4.24
                IN      TXT     "v=spf1 a mx -all"
                        LOC     37 25 53.825 N 122 11 52.128 W 15m

By convention, the SOA line states first the fully-qualified domain name
of the master nameserver (here, "ns1.linuxmafia.com"), followed by a
valid  e-mail address for reaching the zonefile maintainer, with the "@"
symbol turned into a period (here, address ####@####.####  This is
followed by five numbers controlling other aspects of the domain's
technical operation.

Querying the SOA for tldp.org yields:

$ dig -t soa tldp.org +short
ns.unc.edu. host-reg.ns.unc.edu. 2008101001 14400 3600 1209600 86400

So, the master nameserver is "ns.unc.edu", and you're supposedly able to
reach the guys who maintain the zonefile at e-mail address
####@####.####

In the real world, the e-mail address specified often goes to a mailbox
that's ignored, or reaches someone who is a NOC technician but doesn't
have authority to alter the domain.  With luck, in the latter case,
he/she will forward your mail to the right person.

(Yeah, I'm a sysadmin.  DNS is a significant part of what I do.)

-- 
Cheers,                "I'm sorry Dan, what's right isn't always popular, 
Rick Moen              and what's popular isn't always right."
####@####.####                     -- George R. Moscone, Nov. 27, 1978

Rick Moen a écrit :

> (Yeah, I'm a sysadmin.  DNS is a significant part of what I do.)
> 
yes :-). I'm not a sysadmin, but I know most of that.

Personnally I use gandi DNS for my subdomains (I have only one server
of my own), but also for my LUG (two servers)

and I simply ask here to know if somebody is in charge :-)

Guylhem is responding to his mails, so I can also write him, but I try
 not to disturb him if not mandatory :-)

and I had to recover my LUG domain property (the former admin lose the
pass!!) and It was pretty difficult to convince Gandi Iwas the LUG
chairman!  If I had to do for the LDP, I fear it to be difficult :-))

jdd

-- 
jdd for the Linux Documentation Project
http://wiki.tldp.org
http://www.dodin.net

Quoting Jean-Daniel Dodin ####@####.####

> and I had to recover my LUG domain property (the former admin lose the
> pass!!) and It was pretty difficult to convince Gandi Iwas the LUG
> chairman!  If I had to do for the LDP, I fear it to be difficult :-))

It doesn't help the current task, but just for people's information:

SVLUG (Silicon Valley Linux User Group) faced, after voting to leave the
parent group (the supposed non-profit corporation I alluded to, in a
prior post) after things didn't work out with them, of how to re-do the
group's registration of its domains to ensure that various ghastly
accidents did not occur (or occur again).

In 2006, SVLUG had almost lost its main domain to accidental expiration
because the one volunteer in charge had ignored my advice about avoiding
single points of failure, and routed e-mail for all four domain contacts
(Registrant, Administrative, Technical, and Billing) through her
personal SMTP server in her house -- and then accidentally lost the
server's configuration to handle those e-mail addresses.  Consequently, 
SVLUG never received any of the renewal notices -- and was saved only
because I independently monitored its domains' payment status and paid
for the renewal, myself, when I saw that the group was not acting.

In the wake of that near-disaster, the new SVLUG administration
floundered and took no action because it was getting conflicting advice.
Finally, this year, I gained the registrar access and mandate to fix the
problem, which I did like this:

http://lists.svlug.org/archives/volunteers/2008q4/001490.html

You will note in that mailing list posting that the registrar access
tokens for the "Registrant" login at registrar Joker.com have been 
made available to all of the main volunteers (about a half-dozen
people).  That login ####@####.#### gives full Web-interface
control of the domains -- with the safeguard that the Administrative and
Technical contacts' e-mail addresses go elsewhere (directly to two
specific volunteers), so that any attempted fraud or abuse using the
Registrant login can be detected and countered.

There were a number of other common judgement errors I tried to
carefully avoid in the domain setup, but it'd probably bore everyone to
detail them.  ;->

Hello

Don't worry, I have set up all this thinking precisely on the worst
that could happen.

The domain is registered for TLDP, which means in case of a dispute
(ex: I go evil and want it to make banner websites) TLDP gets it
I did however kept my email address to be informed about potential
problems (most of my old domains are stll valid, and I receive a lot
of spam due to this but I prefer making it easier for people to get in
touch with me)

Yet in some cases something happen (say I get stuck by a car, eaten by
a lion, whatever) this is my metalab email, managed by ibiblio - I'm
sure they can set a .forward until the domains things are arranged.

Initially I paid the domains as a gift for the LDP, after this sad
cybersquatting story by one of your owns, but I can't remember about
registrering for so long. Anyway my suggestion is to renew it every
years, to be able to think about it time to time. (you'd have to miss
7 renewals in a raw to fail!)

I have no problem keeping an eye on the domain, but please consider
giving this function to ibiblio (maybe set up a DNS-alarm mail alias?)

BTW, may I ask here if anyone from canada could try to discuss the
domain oeil.ca with the "current owner", whom I fear will refuse to
negociate will me directly (we have a history- I am trying to claim
back the name). I still have that email appearing in a lot of places,
and I would like people using it to be able to reach for me.
I will gladly cover the expenses if the offer is fair ; alternately I
could also donate a domains that may sale at a faire price, like
externe.com or mauvaise.info (french joke)

Guylhem

On Mon, Nov 3, 2008 at 5:18 AM, Rick Moen ####@####.#### wrote:
> Quoting Jean-Daniel Dodin ####@####.####
>
>> and I had to recover my LUG domain property (the former admin lose the
>> pass!!) and It was pretty difficult to convince Gandi Iwas the LUG
>> chairman!  If I had to do for the LDP, I fear it to be difficult :-))
>
> It doesn't help the current task, but just for people's information:
>
> SVLUG (Silicon Valley Linux User Group) faced, after voting to leave the
> parent group (the supposed non-profit corporation I alluded to, in a
> prior post) after things didn't work out with them, of how to re-do the
> group's registration of its domains to ensure that various ghastly
> accidents did not occur (or occur again).
>
> In 2006, SVLUG had almost lost its main domain to accidental expiration
> because the one volunteer in charge had ignored my advice about avoiding
> single points of failure, and routed e-mail for all four domain contacts
> (Registrant, Administrative, Technical, and Billing) through her
> personal SMTP server in her house -- and then accidentally lost the
> server's configuration to handle those e-mail addresses.  Consequently,
> SVLUG never received any of the renewal notices -- and was saved only
> because I independently monitored its domains' payment status and paid
> for the renewal, myself, when I saw that the group was not acting.
>
> In the wake of that near-disaster, the new SVLUG administration
> floundered and took no action because it was getting conflicting advice.
> Finally, this year, I gained the registrar access and mandate to fix the
> problem, which I did like this:
>
> http://lists.svlug.org/archives/volunteers/2008q4/001490.html
>
> You will note in that mailing list posting that the registrar access
> tokens for the "Registrant" login at registrar Joker.com have been
> made available to all of the main volunteers (about a half-dozen
> people).  That login ####@####.#### gives full Web-interface
> control of the domains -- with the safeguard that the Administrative and
> Technical contacts' e-mail addresses go elsewhere (directly to two
> specific volunteers), so that any attempted fraud or abuse using the
> Registrant login can be detected and countered.
>
> There were a number of other common judgement errors I tried to
> carefully avoid in the domain setup, but it'd probably bore everyone to
> detail them.  ;->
>
>
> ______________________
> http://lists.tldp.org/
>
>



-- 
Dr. Guylhem Aznar, MD PhD

Unité d'Analyse Médico-Économique
Service de Santé Publique et d'Économie de la Santé
Pôle SPSSR
CHU de Fort de France
BP 632
97261 Fort De France Cedex
Martinique, France

Tel : 05 96 55 23 47
Fax : 05 96 75 84 57

Quoting Guylhem Aznar ####@####.####

> Hello

Hi, Guylhem!

> The domain is registered for TLDP, which means in case of a dispute
> (ex: I go evil and want it to make banner websites) TLDP gets it
> I did however kept my email address to be informed about potential
> problems (most of my old domains are stll valid, and I receive a lot
> of spam due to this but I prefer making it easier for people to get in
> touch with me)

Yes, that's approximately how I would have done it, too, FWIW.

> Yet in some cases something happen (say I get stuck by a car, eaten by
> a lion, whatever) this is my metalab email, managed by ibiblio - I'm
> sure they can set a .forward until the domains things are arranged.

Again, for whatever it's worth (FWIW), at SVLUG we found that relying on
aliases (or any other form of mail redirection) for domain contacts 
has both advantages and risks, but you have to be very careful of the
latter.

A (generous, well-intentioned) volunteer had set up _all_ of the
contacts (Registrant, Technical, Administrative, and Billing) for both
domains (svlug.org and svlug.net) to be aliases within her own mail
domain, the MTA for which initially did reflect the incoming mail to
desired end-recipients.  One problem was that she alone had the ability
to inspect and determine where, at any given time, those contacts'
mailboxes redirected _to_.  The rest of us had no visibility into how
that mail would be routed -- except throught the rather inadequate
mechanism of sending test messages to the publicly-displayed addresses,
and asking whoever received them (if anyone) to please reply back.

Later, she inadvertantly screwed up her aliases file during a system
rebuild, rendering all the aliases simultaneously undeliverable --
again, without anyone being able to see the problem.  That was the
incident I described where the group nearly lost svlug.org -- and would
have, if I hadn't been checking domain expiration dates independently.

Later still, she repaired the aliases handler, and redefined where all
the aliases went, without telling anyone.  Once again, we figured this
out only by sending test messages and attempting to trace them.

In the wake of all these unpleasant surprises, once I finally got
administrative control of SVLUG's domains, I banished all such "role"
e-mail accounts -- except one.

As you'll see if you check WHOIS for svlug.org/svlug.net, the Registrant
and Billing contact is ####@####.#### for both domains -- but the
other two contacts' mail goes to two active Internet users' direct
mailboxes that they monitor frequently.


> Initially I paid the domains as a gift for the LDP, after this sad
> cybersquatting story by one of your owns, but I can't remember about
> registrering for so long. Anyway my suggestion is to renew it every
> years, to be able to think about it time to time. (you'd have to miss
> 7 renewals in a raw to fail!)

Excellent idea.

Thank you, Guylhem!

Guylhem Aznar a écrit :
> Hello

salut!

> 
> Don't worry, I have set up all this thinking precisely on the worst
> that could happen.

(...)
well done :-)

we could buy a server with our own money, so I beg we can renew a
domain (€12 a year), but I still don't know where is this money and
who can use it :-( - probably Sergius could say, but he's in vacation
right now.

we have some sub-domains (br.tldp.org, for example) and we have to
manage this. I don't know where they are set, but I just see a
"tinydns" daemon on gabber, I will look and report

thanks
jdd

-- 
jdd for the Linux Documentation Project
http://wiki.tldp.org
http://www.dodin.net

Quoting Jean-Daniel Dodin ####@####.####

> we have some sub-domains (br.tldp.org, for example) and we have to
> manage this. 

That subdomain does _not_ appear to be delegated down from the main
nameservers that service tldp.org as a whole:

$ dig -t ns br.tldp.org +trace

; <<>> DiG 9.4.2-P1 <<>> -t ns br.tldp.org +trace
;; global options:  printcmd
.			24994	IN	NS	m.root-servers.net.
.			24994	IN	NS	a.root-servers.net.
.			24994	IN	NS	b.root-servers.net.
.			24994	IN	NS	c.root-servers.net.
.			24994	IN	NS	d.root-servers.net.
.			24994	IN	NS	e.root-servers.net.
.			24994	IN	NS	f.root-servers.net.
.			24994	IN	NS	g.root-servers.net.
.			24994	IN	NS	h.root-servers.net.
.			24994	IN	NS	i.root-servers.net.
.			24994	IN	NS	j.root-servers.net.
.			24994	IN	NS	k.root-servers.net.
.			24994	IN	NS	l.root-servers.net.
;; Received 272 bytes from 198.144.195.190#53(198.144.195.190) in 3 ms

org.			172800	IN	NS	A0.ORG.AFILIAS-NST.INFO.
org.			172800	IN	NS	C0.ORG.AFILIAS-NST.INFO.
org.			172800	IN	NS	TLD2.ULTRADNS.NET.
org.			172800	IN	NS	B0.ORG.AFILIAS-NST.org.
org.			172800	IN	NS	TLD1.ULTRADNS.NET.
org.			172800	IN	NS	D0.ORG.AFILIAS-NST.org.
;; Received 419 bytes from 192.5.5.241#53(f.root-servers.net) in 60 ms

tldp.org.		172800	IN	NS	ns2.unc.edu.
tldp.org.		172800	IN	NS	ns.unc.edu.
;; Received 71 bytes from 199.19.56.1#53(A0.ORG.AFILIAS-NST.INFO) in 231
ms

tldp.org.		300	IN	SOA	ns.unc.edu.
host-reg.ns.unc.edu. 2008101001 14400 3600 1209600 86400
;; Received 84 bytes from 152.2.21.1#53(ns.unc.edu) in 135 ms

$

If I read that correctly, that means any and all contents of that
subdomain are defined directly inside the tldp.org zonefile at master
nameserver ns.nuc.edu, and thereby reflected to slave nameserver
ns2.unc.edu.


> I don't know where they are set, but I just see a "tinydns" daemon on
> gabber, I will look and report

Er, what's "gabber" in this context?  I'm not sure I follow you.

FYI, tinydns is a nameserver daemon that performs authoritative
nameservice only.   Please see, for more information:
http://linuxmafia.com/faq/Network_Other/dns-servers.html#djbdns

-- 
Cheers,      "Transported to a surreal landscape, a young girl kills the first
Rick Moen     woman she meets, and then teams up with three complete strangers
####@####.####       to kill again."  -- Rick Polito's That TV Guy column,
              describing the movie _The Wizard of Oz_

Rick Moen a écrit :
> Quoting Jean-Daniel Dodin ####@####.####
> 
>> we have some sub-domains (br.tldp.org, for example) and we have to
>> manage this. 

at least, from our front page (tldp.org) we have br, it and es subdomains.

> 
> That subdomain does _not_ appear to be delegated down from the main
> nameservers that service tldp.org as a whole:

I "know" this, that is I read the doc and understand it at the moment
I read, but I'm far from mastering this.whois

> If I read that correctly, that means any and all contents of that
> subdomain are defined directly inside the tldp.org zonefile at master
> nameserver ns.nuc.edu, and thereby reflected to slave nameserver
> ns2.unc.edu.

so this have to be managed by ibiblio admins? (I was asked recently by
br to change the target - but this is not yet resolved)
> 
> 
>> I don't know where they are set, but I just see a "tinydns" daemon on
>> gabber, I will look and report
> 
> Er, what's "gabber" in this context?  I'm not sure I follow you.

we have three servers

* gabber (gabber.metalab.unc.edu) and reggae (reggae.metalab.unc.edu)
are vservers running on the hardware new one, gabber is for mailing
lists and reggae for the wiki (all this setup by Sergius)

* tldp.org is on the ibiblio server farm.

we can make any use we wan of gabber and reggae, even setup a new
vserver if we need to (the HW server is pretty powerfull). There is a
wiki page with details but read protected (read only by wiki admins,
because I don't mind to publish too sensible infos)

jdd


-- 
http://www.dodin.net
http://valerie.dodin.org
http://www.youtube.com/watch?v=t-eic8MSSfM