Posted: Tuesday, 25 April 2017
As announced on 22 March 2017, there are thousands of instances of the ARIN Point of Contact (POC) handle "No, Contact Known" or CKN23-ARIN registered in the ARIN database, most of them associated with legacy resource records. ARIN would like the community to review the history of this situation and the proposed solution and provide us with their feedback. We are conducting this community consultation to obtain feedback on the proposed options to address this issue. This consultation period will close at 5 PM EDT, 22 May 2017.
The creation and addition of the CKN23-ARIN POC handle was due to a combination of factors.
- In 2002, a database conversion project was done at ARIN that created a new database structure and added a new record type (Organization ID) as well as new POC types (Admin, Tech, Abuse and NOC). When an Org ID didn't have a clear POC that had been recently updated or vetted by ARIN staff, the original resource POC remained on the resource record only and no POCs were added to the Org record at all.
- In a later 2011 database conversion, reverse DNS delegation switched from per-net to per-zone. This created significant hijacking potential by allowing resource POCs to change their reverse delegation without first being verified by staff as legitimate.
- Also in 2011, ARIN added a new business rule that required an Admin and a Tech POC on all Org records as a way of enhancing data quality.
- Policy 2010-14 was implemented in 2011 and required Abuse POCs on all Org records.
In order to maintain ARIN's business rules, comply with policy 2010-14, and prevent hijackings, several actions were initiated by staff:
- CKN23-ARIN was created to become the Admin and Tech POC on Orgs that lacked them
- Resource POCs of legacy networks that had never been updated or validated by ARIN were moved to the Organization record as the Abuse POC
- ARIN's verification and vetting requirements were thus reinstated as the Abuse POC had to be vetted before making any changes to the record, and therefore could not hijack the resource by adding or changing the nameservers
Over time, the above actions have created several issues:
- It is easy for hijackers to identify and target records with CKN23 (no contact known) as the handle
- POCs that were moved from resource tech to Org abuse are not happy about no longer having control of their resource record
There are several different courses of action that ARIN could take to resolve the current situation.
- Retain the current status and do nothing
- Restore the resource POCs back to their original state on the resource record keeping in mind that this would open up the hijacking risk by giving the original resource POC control of the network without a verification process
- Retain the Abuse POC on the Org record
- Retain CKN23-ARIN as Org POC
Option 3 - **Recommended option**
- Restore the resource POC back to their original state on the resource record. This will allow contacts historically associated with a resource record to more readily administer that record going forward.
- Retain the Abuse POC on the Org
- Replace CKN23-ARIN with a handle that better explains the record's status (e.g. "Legacy Record – See Resource POC")
- Lock all resources associated with these legacy records who have had their resource POC restored. This would ensure that any changes made by the resource POC would first have to be reviewed by ARIN.
We would like to thank the ARIN Services Working Group (WG) for their helpful review of the proposed change – while the ARIN Services WG did not take a formal position in support of or in opposition of the proposed change, their review led to improvements in presentation of the options
We are seeking community feedback on this proposed change (Option #3) to the ARIN Registry database.
Please provide comments to email@example.com. You can subscribe to this mailing list at:
Please contact us at firstname.lastname@example.org if you have any questions.
President & CEO
American Registry for Internet Numbers (ARIN)