Zone Transfer Policy Review - Proposed New Policy Submission From: Steven Heath Received: 18 March 2004 Please accept this as my submission on the Draft Zone Transfer Policy. Overall I feel that the draft policy has 'lost the plot' with regard to privacy. Most of my submission is to this main aspect with several more minor aspects noted. Privacy The zone file only contains name server information and non authoritative glue records. Or at least it should as I have never seen the zone file :-) The draft policy has several references to privacy (3.1, 3.5, and Section B 3.9.4). While I fully believe we should protect the rights and privacy of registrants I can't see the link between private data and the zone file. I can only think that privacy is being used as the zone file in 'the wrong hands' could assist someone in, say, blind spamming domain names. The information in the zone file is by definition already public, but the zone file does place all the data in one place. However, someone could use a web harvester to gain domain names or better yet paying $50-$100 for a CD with 'millions of email addresses' and be completely outside of any .nz polices or regulations. If someone really wanted to do a dictionary spam attack on .nz do you think they would go via the regulated or unregulated approach? The benefit in gaining the zone file is the reduction in a single step in the process. They would still only have domain names and name servers. This is hardly the keys to the castle. The zone file is similar to the yellow pages without all the advertising and phone numbers, i.e., just the company name and street address. Where is the private data that is being protected? Perhaps the privacy aspect is based on a yet to be announced privacy/whois review or some 'sekret' discussions with government or other organisations? My original submission I had concerns about people using the zone file data for competitive advantage. However, this is only an advantage as currently no public information is being released about market share. Ergo, if registrar market share information was released then this issue goes away. Other points One small note I think no role for NZOC is required. The zone file transfer aspect, once policy has been approved, is purely operational. NZOC is for policy setting, governance and oversight, not operational day to day events. I do agree in general that any person or organisation (the draft implies only body corporates will be allowed to access the zone file based on possible process outlined in Section B) should ensure that the zone file is not released 'into the wild'. However, the zone file being deleted after use (3.8) would well impact the long term review of trends etc in the zone file. A new report or filter could be used and having the older zone files deleted would mean that no ability to compare current with previous data could be done. My final comment is with regard to the requirement of 'public good'. I think that the access to the zone file must have a valid reason. Just requesting it so they can 'go over it' is not acceptable in my opinion. While the results may not be public I do think that 'curiosity' factor has no place in .nz zone transfers.