Domain Transfer, WHOIS Privacy, DNSSEC, and the Absence of Push-ups

edited April 6 in Outages

This article is originally published on yoursunny.com blog https://yoursunny.com/t/2022/ndn-today-domain-transfer/

Annual Domain Transfer for Profit

Since my first domain name in 2006, I have purchased several domain names for my various websites.
A few years ago, I discovered a secret in the domain registration business: many registrars offer a cheaper price for domain transfer than domain renewal, as a means to attract new customers.
Therefore, if I transfer my domain every year to a different registrar, I would pay less than renewing the domain at the same registrar.

DNS services for a domain used to be associated with the registrar.
When I transfer a domain away, the DNS server of the old registrar would stop responding to queries regarding my domain, and the DNS server of the new registrar does not yet have any records about the IP addresses of my web server.
Therefore, a domain transfer would usually cause the website to become inaccessible for a day or two.
Typically, I post a tweet when a domain transfer is about to happen, so that my readers could know why my website is down.

Nowadays, I'm using Cloudflare DNS for most of my domains.
Cloudflare DNS server is independent from the domain registrar, so that my website continues to resolve correctly throughout a domain transfer, as long as neither registrars modify the name server delegation records.
In case the new registrar automatically updates the delegation records to their DNS servers, I have to quickly login to the control panel and change it back to Cloudflare, which would then cause a brief downtime of the website.
Having done so for many years, I am accustomed to this process.

Transfer of ndn.today

I registered ndn.today domain name in 2020, to host several of my personal projects related to Named Data Networking, which include the popular NDN push-ups page.
Later that year, I transferred this domain from NameCheap to Porkbun.
After entering the Auth-Code at the new registrar and accepting the transfer request at the old registrar, the domain moved over, and Cloudflare continues to resolve the domain so that there's no website downtime.

Many domain registrars offer free WHOIS privacy services, which conceal my name, street address, and email from the public WHOIS database.
I do not consider WHOIS privacy essential because my information is public, but I kept it enabled so that I could receive fewer spam email.
During the above domain transfer, WHOIS information changed from Withheld for Privacy ehf to Private by Design, LLC, which are the WHOIS privacy services of NameCheap and Porkbun respectively.
Despite the change, I am still the domain owner as recorded in the registrar's control panel.

Fast forward to March 30, 2022, it's less than two months before the expiration date of ndn.today, so it's time to yo-yo the domain again.
Tldes.com indicates that one.com has the cheapest domain transfer offer for .today at $2.22, and they are an IANA-accredited registrar.
Following the usual procedure, I unlocked the domain, entered the Auth-Code, paid the invoice, and accepted the transfer request.
The domain moved over, and I went to bed.

The next morning, I received an alert:

Hi,

The monitor web RSpec (https://rspec.ndn.today) is currently DOWN (Connection Timeout).

UptimeRobot will alert you when it is back up.

Usually, such an alert indicates a problem with the hosting server.
I SSH'ed into the server, but did not find any issues.
Since I was busy with coding that day, I ignored the alert thinking it would resolve by itself in a few hours.

In the evening of March 31, I recalled this UptimeRobot alert, and discovered that I cannot open the NDN push-ups website anymore.

This site can't be reached. pushups.ndn.today's server IP address could not be found. Try: Checking the connection. ERR_NAME_NOT_RESOLVED

I started to realize, the alert was caused by a DNS problem, not a server issue.
I queried the domain with two online WHOIS lookup tools, one shows the name server delegation to be Cloudflare as expected, the other one shows:

Updated Date: 2022-03-31T13:03:53Z
Creation Date: 2020-05-25T19:09:17Z
Registry Expiry Date: 2023-05-25T19:09:17Z
Registrar: One.com A/S
Registrar IANA ID: 1462
Domain Status: transferPeriod https://icann.org/epp#transferPeriod
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Private by Design, LLC
Name Server: ns01.one.com
Name Server: ns02.one.com
DNSSEC: signedDelegation

Apparently, one.com automatically changed the name server delegation to their own.
Since I haven't entered any DNS records in one.com DNS control panel, their DNS server cannot resolve my website IP address.

Domain Owner: Private by Design, LLC

I haven't encountered an automatic name server update since 2014, but I know how to deal with it: login to the new registrar's control panel, and change the name server back to Cloudflare.
I filled up the form, clicked submit, and then received a message:

You have name server changes pending approval.
A request has been sent to the registrant of the domain for approval.
If not approved within three days, the request will fail.

Looking through my email inbox, I received nothing.
After poking around, I found the issue: according to one.com, the domain is now owned by Private by Design, LLC, Porkbun's WHOIS privacy service.
Therefore, they sent the request to [email protected], but I have no way to access that mailbox.

I attempted to modify the domain contact.
However, that form also triggers an automated email to [email protected] that I cannot access.
I contacted Porkbun chat support, and they told me the validation code contained in one of the emails.
I submitted this validation code at one.com, but it did not allow me to immediately update the domain contact.

Road to Recovery

One.com is the current registrar and they have the authority and responsibility to resolve the problem.
I contacted their chat support, Support Robot gave a 7-minute estimate for a support agent, but nobody picked up after 15 minutes.
I tried again after a few hours and got to someone, who asked me to fill up a general owner change PDF form and submit by email.
Seeing that the form should be accompanied by a photo ID such as my driver's license, I felt uneasy to send sensitive documents via unencrypted email.
Upon raising my concern, the support agent Angel said that I can also use the ticket system, much better!

I prepared and signed the form, scanned my driver's license, and submitted both via the ticket system.
The same Angel replied to the ticket, saying that she's going to forward the form to their Hostmasters, who would process the form within 24 hours.
Sigh.

The next morning, on April 1, I received another email:

Owner details update for domain ndn.today

We have declined your request of Mar 31, 2022 to update the owner details for your domain ndn.today.

I started to panic PMS: I submitted the PDF form according to instructions, and why is it declined?
A different chat support agent checked the status of my ticket, and assured me that the PDF form is still being processed, and the decline message came from my earlier attempt in the control panel.

DNSSEC Thwarts the Temporary Measure

As I'm waiting for the hostmaster to process the "owner change", I thought about a temporary solution: I can enter server IP addresses in the control panel, so that one.com DNS server could resolve the records.
I have been using Cloudflare CDN for some of my sites under this domain, mainly for the convenience of TLS termination.
Moving them off the CDN means that I have to do TLS termination on my own server, but I'm experienced with this: Caddy server has automatic TLS and can obtain certificates automatically.

I inserted A and AAAA records in one.com DNS control panel, and configured reverse proxies in the Caddyfile:

https://pushups.ndn.today {
  reverse_proxy https://pushups.netlify.app
}

Certificate Transparency notifications started rolling in, suggesting that my reverse proxy has successfully obtained TLS certificates for the subdomains.
I couldn't access the websites myself at that time, but I'm confident that DNS propagation delay would eventually resolve itself.
Certificates are issued by ZeroSSL instead of the usual Let's Encrypt, but it's not a matter of concern.

It's now April 2, two days after the initial UptimeRobot alert, I still cannot access my websites.
I queried my domain on DNS lookup & Propagation Check, and it gave mixed results: some DNS servers can resolve the domain and some cannot.
While DNS does have negative caching, such caching is normally short-lived, so that DNS caching is not the only one to blame.

worldwide DNS propagation map, 5 green ticks and 14 red crosses

The reason of failed DNS resolution lies in DNSSEC.
Following a recommendation from Cloudflare, I enabled DNSSEC for my domain, so that unauthorized DNS servers cannot respond to queries with bogus responses.
Setting up DNSSEC is a two-step process:

  1. Cloudflare DNS server generated a signing key pair, and would use it to sign every response under my domain.
  2. Using a form on the Porkbun control panel, I submitted the digest of the public key to the .today registry, in what's called a DS record.

When a DNS resolver receives the DS record, it would retrieve the public key from the delegated name server (i.e. Cloudflare), and check that the public key matches the digest and the records are signed by this public key.
Right now, the name server delegation is pointing to ns01.one.com, but the DS record contains the digest of Cloudflare's public key.
Since one.com does not own the corresponding private key, it would not be able to come up with a valid signature.
Consequently, DNS resolvers would reject its responses and refuse to resolve my domain.

VeriSign Labs DNSSEC Analyzer confirms my suspicion:

Found 1 DS records for ndn.today in the today zone; No DNSKEY records found; ns01.one.com is authoritative for pushups.ndn.today; No RRSIGs found

Not every DNS resolver validates DNSSEC signatures, which explains why some DNS servers can resolve the domain and some cannot.
I checked Caddy server logs, and it suggests that Let's Encrypt could not issue certificates due to DNS resolution failure, so that Caddy automatically switched to ZeroSSL as a fallback.
This implies that Let's Encryption is using a DNSSEC-validating resolver, while ZeroSSL is using a non-validating resolver.

Now, my domain is in limbo.
If a viewer is using a non-validating DNS resolver, they can visit my website and see my push-ups.
If a viewer is using a DNSSEC-validating resolver, there would be no push-ups for them.

Summary & Final Words

I regularly transfer domains between registrars to take advantage of lower pricing.
This time, I transferred a domain from Porkbun to one.com without disabling WHOIS privacy service.
The new registrar considered Private by Design, LLC, Porkbun's WHOIS privacy service, to be the domain owner, and restricted me from accessing most features in the control panel.
Paperwork for re-assigning the domain owner to me is still being processed after two days.

The new registrar automatically changed name server delegation to their own.
I inserted DNS records to one.com DNS server as a temporary measure, but these records are being rejected by DNSSEC-validating resolvers because one.com does not possess the signing keys.
Consequently, ndn.today domain has been inaccessible for three days and counting, and half of the world population is unable to watch my push-ups.

UPDATE 2022-04-05:
Shortly after this article was first published, one.com approved the domain owner change request and re-assigned the domain under my own name.
I updated the name server back to Cloudflare right away, and my websites are fully recovered as of this writing.
According to UptimeRobot, total downtime was about 77 hours and 49 minutes.
Needless to say, I wasted so much time trying to fix my domain, the time that I could otherwise spend doing push-ups.

Hammer the cores and blast the ports with no mercy.

Comments

  • mikhomikho AdministratorHosting ProviderOG

    One.com is a Danish company used by many Swedes and other Nordic citizens.

    The general idea about that company is that it ”works” for smaller companys that only use one.com services.

    For the more technical persons, one.com is frowned upon.
    Due to their control panel, lack of understanding support personal (most of the time you get canned responses back).

    I haven’t used one.com in many years and I don’t plan on using them again, no matter how cheap their service is.

    Thanked by (1)yoursunny

    Get 4 or more NAT servers (mix/match between packages) and get a 30 % recurring discount. https://clients.mrvm.net

  • Yes, a couple of my Norwegian customers use One.com, so I have to deal with them. I wouldn't recommend them, for the reasons mentioned ...

  • Is there a technical reason why the push-ups and other NDN experiments aren’t on *.yoursunny.com? Can save a bit that way.

  • @stevewatson301 said:
    Is there a technical reason why the push-ups and other NDN experiments aren’t on *.yoursunny.com? Can save a bit that way.

    My preferred practice used to be putting things at a path within the main site, such as https://yoursunny.com/p/rideon-today/ .
    However, this isn't feasible with today's automated deployment tools and third-party application hosting (Cloudflare Workers, Netlify, etc).

    https://yoursunny.com is used without www. prefix.
    As such, cookies are assigned at yoursunny.com level.
    If I setup an independent site at example.yoursunny.com level, the new site would receive unnecessary cookies from the main site.
    In HTTP/1.1, this translates to upload bandwidth overhead.
    However, this is less relevant since HTTP/2, in which duplicate request headers can be compressed away.

    Nowadays, having multiple domains is more about branding.
    My collaborator asked for https://play.ndn.today subdomain for his NDN Play simulator webapp - he decided on that name before knowing I have this domain.

    I also have .yoursunny.dev domain for my non-NDN projects.
    On the other hand, I have decided to cancel .yoursunny.cn this year because it has idled for too long and very few sites still link to it.

    Hammer the cores and blast the ports with no mercy.

  • yxz.de  
        No DS records found for yxz.de in the de zone
        No DNSKEY records found
        ns2.incoghost.com is authoritative for yxz.de
        yxz.de A RR has value 23.xx.xx.xx
        No RRSIGs found
    

    stupid question, is it a problem if these two values are not set and if so, how do i set them?

    No DS records found for yxz.de in the de zone
    No DNSKEY records found

  • cybertechcybertech OGBenchmark King

    how much did you save?

    I bench YABS 24/7/365 unless it's a leap year.

  • @lapua said:

    yxz.de    
      No DS records found for yxz.de in the de zone
      No DNSKEY records found
      ns2.incoghost.com is authoritative for yxz.de
      yxz.de A RR has value 23.xx.xx.xx
      No RRSIGs found
    

    stupid question, is it a problem if these two values are not set and if so, how do i set them?

    No DS records found for yxz.de in the de zone
    No DNSKEY records found

    What command did you run to get these results?

  • vyasvyas OGContent Writer

    @cybertech said:
    how much did you save?

    More relevant question: What exactly did he end up saving?

    VPS reviews | | MicroLXC | English is my nth language.

  • edited April 4

    ndn.today seems to be back up though. Presumably your issues with one are resolved?

  • @vyas said:
    More relevant question: What exactly did he end up saving?

    At least not his time. Time he could've spent for more pushups.

    Thanked by (1)yoursunny
  • @dosai said:

    @lapua said:

    yxz.de  
        No DS records found for yxz.de in the de zone
        No DNSKEY records found
        ns2.incoghost.com is authoritative for yxz.de
        yxz.de A RR has value 23.xx.xx.xx
        No RRSIGs found
    

    stupid question, is it a problem if these two values are not set and if so, how do i set them?

    No DS records found for yxz.de in the de zone
    No DNSKEY records found

    What command did you run to get these results?

    https://dnssec-analyzer.verisignlabs.com/

    Thanked by (1)dosai
  • @lapua said:
    stupid question, is it a problem if these two values are not set and if so, how do i set them?

    No DS records found for yxz.de in the de zone
    No DNSKEY records found

    DS record is created in the parent zone i.e. de registry.
    The registrar should have a button, which forwards the settings to the registry.

    namesilo DS records

    DNSKEY record is created in the child zone i.e. yxz.de authoritative name server.
    In Cloudflare it's under DNS app.
    You should start here, which would tell you what DS record to insert at the registry side.

    Thanked by (1)lapua

    Hammer the cores and blast the ports with no mercy.

  • @cybertech said:
    how much did you save?

    Porkbun .today renewal $16.46 - one.com .today transfer $2.22 = $14.24 saving

    @vyas said:
    More relevant question: What exactly did he end up saving?

    The saving equals one year of 1GB KVM server.

    @Pruzilla said:
    At least not his time. Time he could've spent for more pushups.

    More time spent on writing the blog post.

    Thanked by (2)cybertech Pruzilla

    Hammer the cores and blast the ports with no mercy.

  • cybertechcybertech OGBenchmark King

    how much did you save?> @yoursunny said:

    @cybertech said:
    how much did you save?

    Porkbun .today renewal $16.46 - one.com .today transfer $2.22 = $14.24 saving

    @vyas said:
    More relevant question: What exactly did he end up saving?

    The saving equals one year of 1GB KVM server.

    @Pruzilla said:
    At least not his time. Time he could've spent for more pushups.

    More time spent on writing the blog post.

    thats good savings. not sure about the efforts though.

    I bench YABS 24/7/365 unless it's a leap year.

  • UPDATE 2022-04-05:
    Shortly after this article was first published, one.com approved the domain owner change request.
    The original article is updated to include the recovery.

    Thanked by (2)Not_Oles mikho

    Hammer the cores and blast the ports with no mercy.

  • @yoursunny said:
    UPDATE 2022-04-05:
    Shortly after this article was first published, one.com approved the domain owner change request.
    The original article is updated to include the recovery.

    This may prove the fact that one.com CEO reads this forum.

    Thanked by (1)flips
  • @legendary said:

    @yoursunny said:
    UPDATE 2022-04-05:
    Shortly after this article was first published, one.com approved the domain owner change request.
    The original article is updated to include the recovery.

    This may prove the fact that one.com CEO reads this forum.

    Or LET, where it was also posted, because OP is an attention-whore.

  • @BarryHercules said:

    @legendary said:

    @yoursunny said:
    UPDATE 2022-04-05:
    Shortly after this article was first published, one.com approved the domain owner change request.
    The original article is updated to include the recovery.

    This may prove the fact that one.com CEO reads this forum.

    Or LET, where it was also posted, because OP is an attention-whore.

    Nah, Sunny is ok. He is so called "eccentric person".

    Thanked by (2)Erisa yoursunny
  • @legendary said:

    @BarryHercules said:

    @legendary said:

    @yoursunny said:
    UPDATE 2022-04-05:
    Shortly after this article was first published, one.com approved the domain owner change request.
    The original article is updated to include the recovery.

    This may prove the fact that one.com CEO reads this forum.

    Or LET, where it was also posted, because OP is an attention-whore.

    Nah, Sunny is ok. He is so called "eccentric person".

    Push-up slut.

  • @BarryHercules said:

    @legendary said:

    @BarryHercules said:

    @legendary said:

    @yoursunny said:
    UPDATE 2022-04-05:
    Shortly after this article was first published, one.com approved the domain owner change request.
    The original article is updated to include the recovery.

    This may prove the fact that one.com CEO reads this forum.

    Or LET, where it was also posted, because OP is an attention-whore.

    Nah, Sunny is ok. He is so called "eccentric person".

    Push-up slut.

    Snicker barbell curler <_<

  • @legendary said:
    This may prove the fact that one.com CEO reads this forum.

    No.
    I contacted chat support.

    @BarryHercules said:
    OP is an attention-whore.

    Maybe.

    @legendary said:
    He is so called "eccentric person".

    Yes.

    @BarryHercules said:
    Push-up slut.

    No, it's Team push-ups.
    Members of Team push-ups include @yoursunny , @FrankZ , @Erisa , and @Astro .

    @legendary said:
    Snicker barbell curler <_<

    We don't curl in squat rack.

    Thanked by (1)Erisa

    Hammer the cores and blast the ports with no mercy.

  • edited April 6

    @yoursunny said: No, it's Team push-ups.
    Members of Team push-ups include @yoursunny , @FrankZ , @Erisa , and @Astro .

    #GoTeamPush-ups

    Cut me a little slack for the hashtag. It's been 23 days since my last bus post on LES.

    Thanked by (1)yoursunny

    Certainement qui est en droit de vous rendre absurde, est en droit de vous rendre injuste - Voltaire

Sign In or Register to comment.