ACSP Consultation 2017.1: CKN23-ARIN Proposal
Consultation Tracking Information
- Requested By: Staff
- Status: Closed
- Comments Opened: Linked to Discussion Archives: 22 March 2017
- Comments Closed: 22 May 2017
- Suggestion Number: n/a
Consultation Description
There are thousands of instances of the ARIN Point of Contact (POC) handle “No, Contact Known” or CKN23-ARIN registered in the ARIN database, most of them associated with legacy resource records. ARIN would like the community to review the history of this situation and the proposed solution and provide us with their feedback.
The creation and addition of this POC handle was due to a combination of factors.
- In 2002, a database conversion project was done at ARIN that created a new database structure and added a new record type (Organization ID) as well as new POC types (Admin, Tech, Abuse and NOC). When an Org ID didn’t have a clear POC that had been recently updated or vetted by ARIN staff, the original resource POC remained on the resource record only and no POCs were added to the Org record at all.
- In a later 2011 database conversion, reverse DNS delegation switched from per-net to per-zone. This created significant hijacking potential by allowing resource POCs to change their reverse delegation without first being verified by staff as legitimate.
- Also in 2011, ARIN added a new business rule that required an Admin and a Tech POC on all Org records as a way of enhancing data quality.
- Policy 2010-14 was implemented in 2011 and required Abuse POCs on all Org records.
In order to maintain ARIN’s business rules, comply with policy 2010-14, and prevent hijackings, several actions were initiated by staff:
- CKN23-ARIN was created to become the Admin and Tech POC on Orgs that lacked them
- Resource POCs of legacy networks that had never been updated or validated by ARIN were moved to the Organization record as the Abuse POC
- ARIN’s verification and vetting requirements were thus reinstated as the Abuse POC had to be vetted before making any changes to the record, and therefore could not hijack the resource by adding or changing the nameservers
Over time, the above actions have created several issues:
- It is easy for hijackers to identify and target records with CKN23 (no contact known) as the handle
- POCs that were moved from resource tech to Org abuse are not happy about no longer having control of their resource record
There are several different courses of action that ARIN could take to resolve the current situation.
Option 1
- Retain the current status and do nothing
Option 2
- Restore the resource POCs back to their original state on the resource record keeping in mind that this would open up the hijacking risk by giving the original resource POC control of the network without a verification process
- Retain the Abuse POC on the Org record
- Retain CKN23-ARIN as Org POC
Option 3 - Recommended option
- Restore the resource POC back to their original state on the resource record. This will allow contacts historically associated with a resource record to more readily administer that record going forward.
- Retain the Abuse POC on the Org
- Replace CKN23-ARIN with a handle that better explains the record’s status (e.g. “Legacy Record – See Resource POC”)
- Lock all resources associated with these legacy records who have had their resource POC restored. This would ensure that any changes made by the resource POC would first have to be reviewed by ARIN.
We would like to thank the ARIN Services Working Group (WG) for their helpful review of the proposed change – while the ARIN Services WG did not take a formal position in support of or in opposition of the proposed change, their review led to improvements in presentation of the options
We are seeking community feedback on this proposed change (Option #3) to the ARIN Registry database.
This consultation will remain open for 60 days - Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at: http://lists.arin.net/mailman/listinfo/arin-consult.
Discussion on arin-consult@arin.net will close on 22 May 2017.
If you have any questions, please contact us at info@arin.net.
ARIN Actions
ARIN has evaluated the feedback from the community consultation on CKN23-ARIN and we are working on finalizing the implementation plan. This effort is expected to be completed within the next 45 days, at which time ARIN will provide a general implementation plan with timelines to the community. Our intention is to implement option 3 as recommended in the community consultation, with some slight modifications based on feedback received from the community.
Update: 06 September 2017
ARIN has finalized an implementation plan to address the issues described in the CKN23-ARIN consultation that was originally opened 22 March 2017.
Based on community feedback, we have modified our original implementation plan as follows:
- Restore the resource POC back to its original state on the resource record. This will allow contacts historically associated with a resource record to more readily administer that record going forward.
- Remove CKN23-ARIN as the Admin and Tech POC on the Org record and replace it with the original resource POC.
- Retain the Abuse POC on the Org.
- Lock all Org and Resource records that have had their resource POC restored on the Resource record and added to the Org record as the Admin and Tech POC. This will ensure that any changes made by the Admin/Tech/Resource POC will first have to be reviewed by ARIN. Our intention is to interact directly with these affected Orgs so that we can obtain updated and accurate Whois information.
We plan to complete this project by the end of November 2017. ARIN thanks the community for its feedback on this matter.