[dns-operations] Monitoring for impending expiration of domains?
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Dec 13 19:41:27 UTC 2020
On Sun, Dec 13, 2020 at 01:03:12PM -0600, Chris Adams wrote:
> Once upon a time, Viktor Dukhovni <ietf-dane at dukhovni.org> said:
> > While one might just write this off as "operator error", putting the
> > blame squarely on the domain owner, I wonder whether in part the problem
> > is a result of lack of transparency around impending domain expiration.
>
> You can set to auto-renew, or you can use a calendar. I don't like
> automatic charges and avoid them when possible, so whenever I renew one
> of my domains, I put the expiration on my calendar with several advance
> notifications.
>
> Plus, if you are following the rules and keeping up-to-date contacts,
> you should get email notifications from the registrar before expiration.
>
> I have other things that I'm expected to renew without prompting (my
> state driver's license doesn't send notifications for example), so I
> guess I'm just used to keeping up with things myself.
That's a good example, but at least with a driver's license, passport,
... the expiration date is right there, on the document. I think that
that more uniform visibility of such metadata would be useful.
I'm loathe to configure my registry login credentials that can transfer
ownership of a domain, ... into a tool that only needs to look up dates
for pre-expiration monitoring. Doing this right would require some sort
of read-only token, that can be used solely for such requests.
Setting up calendars 9+ years in advance is a fragile business, I'd
much rather be able to populate a dashboard, with periodic updates.
And contact email addresses change, staff move on... Doing this
right takes a lot of attention to detail, which suggests a need
for a "belt and suspenders" approach, where multiple things would
have to go wrong for a renewal to be inadvertently missed.
And multiple likely means more than two if the renewals are only once a
decade. It is in many ways easier to automate and ensure proper
functioning of a frequent process than to do the same with something
that happens only once a decade.
Someone mentioned certificates, but we've now learned to no longer
do manual certificate updates, those were all to fragile. Instead
they're just automatically renewed (ACME).
--
Viktor.
More information about the dns-operations
mailing list