[DBWG] Making mnt-by mandatory on person objects

Michel ODOU michel.odou at afrinic.net
Tue Dec 13 12:10:36 UTC 2016


Hi David,

Thanks for your message. I did some research from a recent dump of the
database:


==============
Person objects
==============


               | Protected | Not protected
---------------|-----------|---------------
Referenced     |      1938 |          6071
---------------|-----------|---------------
Not referenced |       725 |          6992


Total: 15726


* 1938 objects (12.3%) are protected and referenced. In an ideal world,
they would be the only ones present in the database.

* The 725 objects (4.6%) protected but not referenced are OK. They are
not used but are harmless.

* The 6992 objects (44.4%) not protected but not referenced could
probably be automatically deleted after a decent delay (1 week? 1
month?). Some of them are just test results or forgotten.

* The 6071 (38.6%) that are referenced BUT not protected are the real
issue here. These objects could be hijacked but we have no easy way to
prevent that (we could use AFRINIC-HM-MNT to protect them and un-block
on a case by case basis but this does not really scale).



============
Role objects
============

Here is the same analysis for the role objects:
# role objects: 786


               | Protected | Not protected
---------------|-----------|---------------
Referenced     |       141 |            39
---------------|-----------|---------------
Not referenced |       179 |           427


Total: 786


I still have to check whether the 39 role objects that are not protected
but referenced have all their person objects protected.

As for your proposals, they make sense. Let's wait for more feedback though.

Regards,
Michel


On 05/12/2016 19:35, fransossen at yahoo.com wrote:
> 
> 
>  
> Hi list,
> 
> I noticed that person objects can be created and then referenced away in the AFRINIC Database without any maintainer listed on them as mnt-by, which means they also can get updated without any maintainer.
> 
> This is at the moment an issue on potential data quality and nuisance but will become an even greater issue once the transfer policy kicks in, as "hijacking" a person will be rather easy, simply change the email address and place a maintainer under your control on the person object, it doesn't give you the maintainer listed on the resources...but you're almost there.
> 
> 
> An immediate action that could can be taken is that the AFRINIC does not allow to issue resources to organisation that have unprotected person objects, basically, if a person's nic-hdl is listed in myAFRINIC, it must have a mnt-by.
> 
> Any nic-hdl referenced on resources issued by AFRINIC *must* have a mnt-by, if the nic-hdl referenced is a role object, all persons within that role object must have an mnt-by:
> 
> This can be pointed out in the very first interaction with the LIR, thus not delaying anything in most cases.
> Further actions would need to be taken to clear up all the objects without maintainer that already exist and will not have contact with the hostmasters for the coming period of time, but that's the part that requires planning. 
> 
> I haven't looked up the numbers, so I do not know the size of the issue, I just noticed that some LIRs old and new had that issue in their records.
> 
> 
> 
> Cheers,
> David Hilario
> 
> _______________________________________________
> DBWG mailing list
> DBWG at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/dbwg
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20161213/f6418969/attachment.sig>


More information about the DBWG mailing list