> Also, I'll put my money where my mouth is. If you can make any changes to a domain that is not yours or a friend's via our help desk, I will send you 10k USD, no questions asked.
> and to clarify, said account must be protected by 2fa to begin with.
I appreciate what he's trying to say... but perhaps he should instead recommend white-hats instead create a test account and try to access it without using the 2FA mechanism.
I think that's reasonable. I was thinking in terms of cutting out the gaming aspect when I made that statement. I probably should have been more specific. The premise of the entire conversation was based on someone making an unjustified accusation without even following it through and testing it to begin with.
>without even following it through and testing it to begin with
You do realize that many companies will prosecute people just "following through and testing it", right?
Though the person you did say it to very likely has an international warrant out for them anyway for pissing off the DoD, so I guess it's all water under the bridge.
They could have started with their own account of course and then documented it but they didn't even bother with even that before making some baseless statements.
Inserting a TXT entry isn't a harmless change these days, because it's one way to authenticate ownership of a domain. Like recovering a google apps admin login.
It may or may not make a difference with what happens in the court system, but I assure you there is a set of people who think the tweet would be permission to hijack a domain. And some of that set overlaps with the group that might accept the $10k challenge. Whether they actually follow-through and are able to, hopefully not.
A bug bounty really ought to be thought out carefully.
>I assure you there is a set of people who think the tweet would be permission to hijack a domain. And some of that set overlaps with the group that might accept the $10k challenge.
And then from all those people you'd still need to find someone who 1) would successfully pull it off and 2) be stupid enough to demonstrate this in a damaging manner.
It’s also worth noting that this offer was made to only one person.
Arguably the offer was made to everyone. I don't know about your other point because, like I said in my post I think those people may exist. Perhaps you don't, but, you kind of made the initial statement that it doesn't matter, right? So isn't it on you to prove it?
Namecheap's primary business is as a domain registrar. Sensible customers don't let their domain registrar act as their authoritative DNS, you'd need to change something else; but maybe mild defacement of the contact name or address in whois would qualify, without being harmful.
You want to be able to switch registrars whenever it's convenient. But if your registrar is also your authoritative DNS and your webhosting, it makes it inconvenient to switch registrars.
Switching DNS is not harder than switching registrars, and keeping them in the same place is reasonable if that provider offers good service for both or you want to avoid the additional complexity of an additional vendor.
I thought your original comment made it sound like there was some obvious reason for keeping DNS and registrars separate.
Switching DNS is harder than switching registrars, because there's more records, and you have to transfer them, and you ideally want the old service to send NS records pointing to the new service, and the old service should be cancelled only after sufficient DNS traffic has moved to the new service. For a seamless transition, you need a period of time with both services active, but some registrars with included nameservice will cancel your nameservice immediately when a domain is transfered to a new registrar; and you likely can't start service at the new registrar in advance either. Recursive resolvers do cache and use glue records, and 2 day TTLs are common at TLDs.
On the other hand, a registrar transfer is usually simple and quick and has no user visible changes. Unlock the domain, get a transfer code, do any confirmation stuff, make sure the glue records didn't change, you're done.
All of those arguments are arguments to use a good DNS provider, not specifically to not put the domain and the DNS on the same provider. I've seen DNS providers remove the namespace the instant they see the domain pointing somewhere else too.
I recommend that you not host DNS with your registrar. And if possible, that you not host DNS with your hosting provider (although, that can be more difficult).
If you have a high value domain, you might want to look for a corporate registrar, like MarkMonitor or CSC, or anyone else who can do Registry locks (which are very different than registrar locks and are rather inconvenient, but potentially very useful); but know it's going to be expensive. I also had a good corporate experience with register.eu, they've got a lot of ability to satisfy foreign presence needs for restricted TLDs, if that's something you need/want. If it's a low value domain (like my personal domains), I don't have strong feelings, except for the love of whatever you hold dear, don't use Network Solutions; they were a fine choice when they were the only choice, but ever since we had options, they should have been used. A lot of registrars are really pushy with upsells and what not, so I've tried to go with no fuss registrars over the years.
In terms of DNS services, I don't have any particular recommendations; I personally run my primary DNS on my hosted machine and secondary with Hurricane Electric, which is free for my usage. There are (or were) several free secondary DNS services out there, but the one I used to use stopped maintaining their website (TLS 1.0 only, certificate issued 2014, expired 2015) and I already had an account with HE's tunnel broker, so it seemed like a reasonable choice. I still have a domain I host for a friend that uses that old service, because I can't get my friend to update the glue records at her registrar; the service still works enough, I guess.
> and to clarify, said account must be protected by 2fa to begin with.
I appreciate what he's trying to say... but perhaps he should instead recommend white-hats instead create a test account and try to access it without using the 2FA mechanism.