3.3 Cancellation of DNS Zone Transfer of JP Domain and Lists of Domain Names, and Status Afterwards

(Database Management Working Group)

Background to Cancellation of Services

JPNIC operates a primary server for the JP domain, with the DNS information (zone file) containing all domain names in the JP domain space, as well as DNS server information regarding the management of these names. Information in the zone file may be obtained using the zone transfer function, and there is a risk that this information could be used for malicious purposes such as port scanning [1]

Also, by using the domain information obtained from zone information to conduct a search on a whois server, comprehensive information from the entire JP domain may be gathered and used as a source of information for direct mailing lists.

Also, as there is a similar risk associated with JP domain name lists and IP address lists (hereinafter, list files) available by FTP, JPNIC has decided to impose restrictions on DNS zone information transfer and reverse name information transfer, and to stop the publication of list files.

Cancellation Process and Current Situation

As indicated above, DNS zone transfer and publication of list files were terminated as of May 11, 1999. The initial schedule as of November 30, 1998 called for termination by February 1, 1999, but there was deemed to be a risk that users would suffer a major impact due to DNS implementation problems. In view of the importance of DNS to the Internet, JPNIC established an education period in order to minimize this impact, and extended the deadline for cancellation to May 11.

As of July 1, there have been no reports of problems arising from the cancellation of DNS zone transfer.

Message to Server Administrators Who Previously Conducted Zone Transfers of JP Domains

DNS which previously conducted direct zone transfer using the JP primary server or official secondary servers may experience the following problems as a result of the cancellation of zone transfer for the JP primary server.

• Inability to access domains registered on the JP primary DNS on or after May 11
• Inability to access zone information added on or after May 11
• Delays in the receipt of mail

DNS administrators using the following setting should delete the relevant parts. For details, please refer to: 'Regarding Verification of DNS Server Settings Following the Cancellation of Zone Transfer' [8]

BIND 4.x

within the file: /etc/named.boot

secondary       jp      XXX.XXX.XXX.XXX         bak/jp.zone

secondary       SLD.jp  XXX.XXX.XXX.XXX         bak/SLD.zone
            

BIND 8.x

within the file: /etc/named.conf

zone "jp" {

        type slave;

        file "bak/jp.zone";

        masters {

                XXX.XXX.XXX.XXX;

        };

};



zone "SLD.jp" {

        typeslave;

        file "bak/SLD.zone";

        masters {

                XXX.XXX.XXX.XXX;

        };

};

    *SLD refers to the second level domain (ac,co, ... , region, etc.)

     XXX.XXX.XXX.XXX refers to the IP address
            

Exceptional Measures Regarding DNS Zone Transfer

DNS zone transfer is now conducted only to official secondary servers managed at JPNIC's request, with all transfer requests from other servers being refused. In accordance with the same policy, official secondary servers will not perform zone transfers either. As indicated in Announcement [5] on January 29, 1999, exceptional treatment was to be provided whereby DNS zone transfers would be permitted under certain conditions, but as of Announcement [6] on April 1, DNS zone transfers were, in principle, to be prohibited, for the following reasons.

1. As DNS server information is included in addition to all domain names, the effect of this information being used as a source of information for port scanning, etc. would be serious.
2. (2) DNS servers bear a non-significant load due to zone transfer requests, and it is necessary to remove this element of instability in order to provide stable service.

Regarding the Provision of List Files and Certification System

The purpose of use of list files is to be examined, and they will be distributed to parties agreeing to the following conditions in writing.

• List files are only to be used for non-profit activities
• List files may only be used by the party to which they are distributed
• List files may not be redistributed to a third party
• Products consisting of a recompilation of list files are not to be released
• Names of parties to which files are distributed and the purpose of use are to be posted on JPNIC's web-site
• Files are to be distributed until March 31, 2000, with the policy to be revised at this time.

List file users will be issued with a digital certificate by JPNIC's Certification Authority (CA). Users can access the list files by using this digital certificate with a certification system provided by JPNIC. The Certification Authority and certification system are still in the experimental stages, but JPNIC is planning the future introduction of database access controls using a certification system based on this type of digital certificate.

For details regarding the distribution of list files, please refer to 'Method of Application to Access JP Domain Name Lists and IP Address Lists' [9].

inquiries

Please contact the following e-mail address for inquiries regarding the suspension of DNS zone transfers and of the release of list files, or for applications to use list files.

dns-proj@nic.ad.jp

[1] http://www.jpcert.or.jp/info/98-0004/
[2] http://www.nic.ad.jp/jp/topics/archive/19980824-01.html
[3] http://www.nic.ad.jp/jp/topics/archive/19981201-01.html
[4] http://www.nic.ad.jp/jp/topics/archive/19990129-01.html
[5] http://www.nic.ad.jp/jp/topics/archive/19990129-02.html
[6] http://www.nic.ad.jp/jp/topics/archive/19990401-01.html
[7] http://www.nic.ad.jp/jp/topics/archive/19990512-01.html
[8] http://www.nic.ad.jp/en/db/check-request.html
[9] http://www.nic.ad.jp/en/db/application.html