ISOCNZ responds to security query
Copyright © 1997 to 7am News
ISOCNZ has responded to the security queries raised by Aardvark's
Date: Wed, 22 Jan 1997 18:01:01 +1300 (NZDT)
CHANGE REQUESTS FOR 'YET TO BE MIGRATED' DOMAINS
January 22, 1997
When contacted by you this morning, I indicated that I would look into the operational issue raised, and get back to you with informed comment as soon as possible.
I have now done that, and would like to reassure your readers, and my Registry customers, that there is no 'huge security hole' in the ISOCNZ Registry site.
The issue you raise concerns itself with changes to information the Registry holds on domain names listed prior to July 22 1996, what you describe as 'yet to be migrated' names.
The information that ISOCNZ holds on pre-July names is extremely limited, and all change requests for these names are still processed manually. Names registered after July 22 have an authorisation key assigned, which provides a further layer of security to customers.
It seems to me that some of your readers may be confused about what the Registry web form does, and I need to clarify.
As part of our goal to improve service delivery, changes were introduced to the Registry web pages in late December. These focused on improving navigation for customers as well as improving data collection for the Registry. The changes *did not affect* the underlying *processes* that take place inside the Registry.
The background to those changes was well published, (and still is under 'This weeks Registry news'), and indicates that changes to underlying processes are planned, but for later this year.
The key message for customers is that nothing has changed - there is no new security risk.
When the Registry receives a change request for a pre-July 22 name, a number of checks are carried out. These include looking at who requested the change, where the request originated and what the changes requested are.
If for instance the request is to change the ISP of a pre-July 22 name, both ISP's are informed as an additional check that there is nothing untoward going on. This is one of a range of additional security checks and balances performed by staff and systems.
These checks sometimes appear to slow the process down from the customers perspective. I guess your article reaffirms the need for the ISOCNZ Registry to conduct such procedures to protect the customer and maintain the integrity of the system it is responsible for.
All due care is taken by the Registry in managing changes, particularly to the limited information we have on 'yet to be migrated' names. I believe that staff perform with great diligence and do an excellent job in delivering the Registry service for the .nz space.
Finally, I'll also point out that the Registry is about to commence an active programme to convert pre-July 22 names into 'fully registered' status. This has been signalled on the Registry web pages since the beginning of January as part of the publicised ISOCNZ policy.
Let me assure customers that they are not at risk as the Registry manually processes all change requests to pre-July 22 names. Those customers who wish to gain the added security of an authorisation key should look to convert their name to fully Registered status. This can be achieved by selecting the www.isocnz.org.nz Registry web pages.
When customers have concerns over operational issues such as the one discussed above, their best channel for action is to e-mail the Registry direct at,
It is indeed good to see such reassurances from ISOCNZ and full credit to Patrick O'Brien for his prompt response to this issue. It should be noted that Jim Higgins also returned my calls yesterday afternoon.
What wasn't quite so impressive were allegations posted to the ISOCNZ listserve that Aardvark was "not letting the facts get in the way of a good story". I leave it to readers to determine whether yesterday's article contained factual errors, or whether it legitimately raised the possibility of a problem as pointed out by Aardvark readers. Although the old maxim of attack is the best form of defense may have a place in military strategy, in the real world where PR is important, I think the official response of ISCONZ does the organisation far more credit.
Back to Aardvark Daily...