[dns-operations] Monitoring for impending expiration of domains?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Dec 14 18:51:48 UTC 2020 

On Mon, Dec 14, 2020 at 07:19:21PM +0100, Patrik Fältström via dns-operations wrote:

> > I recently had a few domains that I didn't have set up for
> > auto-renewal as I was making yearly decisions about them (IE, they
> > weren't mission critical).  I had the registrar's emails
> > specifically filtered to an important folder so I'd notice the
> > pending expiration date.  Then...  that registar sold all their DNS
> > services to a different one.  I lost two domains because the new
> > registar's mails ending up in a spam folder before I noticed.
> > Whoops.
> 
> That companies buy and sell each others, or the customers, or
> products...well, that is unfortunately part of the game. :-(

Which means that relying on any single mechanism to ensure the
desired outcome may not be sufficient or wise.  Trust, but verify!

> > Mind you the fault was entirely mine.  But auto-renew is probably the only safe way, as mail fails...  and as Viktor pointed out, calendars aren't exactly perfect either.
> 
> I rather say, you do not solve these issues with just technical measures.

In a narrow sense I agree that there is no technical "silver bullet"
that solves the problem, but on the other hand I strongly disagree
that technical means should not be applied to reduce the chance of
failure.

Specifically, I've learned over the years that no amount of automation
obviates monitoring, the two go hand in hand.  Monitoring tools need
to periodically generate status information even when all is well,
the absense of such reports needs to be noted, and need to generate
meaningful and repeated alerts once it is time to take action.

In this context, it means that one should both try to arrange for the
right thing to happen automatically (as much as possible), but one
should also be able to monitor for "impending doom", and take manual
corrective action before the bad things happen.

Thus, for example, my DNSSEC zones are automatically re-signed, *but*
each day a cron job runs that verifies that none of the signatures
are "too close" to expiration.

This needs to be possible also for domain registrations.  To the extent
that getting the requisite information requires jumping through ad-hoc
registrar-specific hoops, using sensitive credentials, ... we as a
technical community are perhaps failing to provide a robust service to
the users.

-- 
    Viktor.

More information about the dns-operations mailing list