Nominet module now requires TLS 1.2

[Lowreg]

Hi

 

from September Nominet now requires TLS 1.2 and won’t connect with current 1.1 settings. 

 

Is is there anyway this can be updated? All the tech info on Nominet web site. 

 

Thanks in advance

 

ant

[WHMCS John]

Hi @Lowreg,

Our development team also received today's communication from Nominet and have reached out to Nominet to get clarification on if there will need to be any changes made to the product for the upcoming change. If there are, those changes will be made available well ahead of the September date.

[brian!]

1 hour ago, WHMCS John said:

Our development team also received today's communication from Nominet

I think it was first announced four weeks ago - I know I got an email from Nominet at the end of May.

https://registrars.nominet.uk/news/system-announcements/1781

[WHMCS John]

Hi all,

The Nominet module in 7.6 RC-1 has been updated to require TLS 1.2 connections.

Please join us in testing the module during the pre-release period, and provide your feedback (positive and negative) in our 7.6 Beta Discussion Forum

Thanks!

[redit]

Do you know if you have also included the new 'Domain Watch' system that Nominet currently have in Pilot stage?

[WHMCS John]

Hi @redit,

"Domain Watch" is not a feature currently planned to be added to the Nominet module.

However we welcome feature requests online at http://requests.whmcs.com

Feel free to suggest this as a new idea for comment and voting upon by other WHMCS users.

The more votes an idea receives, the more likely it is to be considered by our development team for potential inclusion in a future feature update.

 

[redit]

Hi @WHMCS John

I don't understand how this could not be on the planned list yet. This is going to be a change to the way that the Nominet API would return results to us as a registrar and at the moment WHMCS will not know how to handle this.

I understand that at the moment this is only a trial and could go the way of most things.

 

[Lowreg]

Great news about TLS 

I don’t think whmcs need to do anything with regards to domain watch. 

 

Thanks whmcs

[brian!]

19 minutes ago, redit said:

This is going to be a change to the way that the Nominet API would return results to us as a registrar and at the moment WHMCS will not know how to handle this.

are you sure that you're correct on that.

Quote

Domain Watch is an anti-phishing initiative to further increase the security of the .UK zone and protect .UK end users from malicious phishing activity. Following the introduction of Domain Health – a free service for registrars to reduce the levels of abuse in .UK – our analysis has shown that a large proportion of the technical abuse seen relates to phishing activity. In response, we are piloting Domain Watch, to quickly identify and suspend newly registered domains that are obvious phishing attempts.

I assume by results you don't mean search results, but notification of a newly registered domain being suspended by Nominet ?

[redit]

Hi @brian!

Quote

• Domain Watch analyses domains using technical algorithms and manual intervention

 

• For any suspended domains, Registrars will receive a workflow commenced message (type: notification reason: <msg>Domain Watch process commenced notification</msg>) via the usual channels (EPP and/or email – notification settings can be set within Online Services on a per tag basis)

 

• If a domain is suspended, the registrant will receive an email informing them of what has happened, together with the next steps required if they feel the suspension was not correctly applied

 

• Domains that are suspended by Domain Watch will only be unsuspended if the registrant is able to confirm the legitimate use of the domain to our satisfaction

So Nominet are going to start sending an EPP/API message informing us that "Domain Watch" has kicked in, I guess I could have worded this better to something more like a question along the lines of "How is WHMCS going to deal with these messages from Nominet then?"

[brian!]

wouldn't this be a unique situation in that upto this point, Nominet just replies to API requests from WHMCS, e.g renew, modify etc... this DW notification would come out of the blue with no prior request from WHMCS.

with this being a six-month trial, I wouldn't expect WHMCS to do anything about it in the short-term, e.g during the trial... and possibly not at all... personally, I can't see any advantage to dealing with this within WHMCS as I doubt we're going to be swamped with phishing suspensions.

[redit]

From what I understand (and I could be wrong as I missed the Webinar on this) if you buy or renew your .uk domain nominet could then send back this 'Domain Watch' status which I'm guessing would then be passed to you when you run your domain sync cron. This then basically should lock the domain until such time as either the domain is released or removed either way I would have thought that we as the registrar should be able to handle this.

[brian!]

Hi @redit,

7 hours ago, redit said:

From what I understand (and I could be wrong as I missed the Webinar on this)

me too - will try to catch it when it's uploaded...

7 hours ago, redit said:

if you buy or renew your .uk domain nominet could then send back this 'Domain Watch' status which I'm guessing would then be passed to you when you run your domain sync cron. This then basically should lock the domain until such time as either the domain is released or removed either way I would have thought that we as the registrar should be able to handle this.

my reading of DW is that it's acting independently of the renewal process, and a message is triggered when a domain becomes suspended by it, not in a reaction to a renewal or at registration time or a domain sync... e.g you can't query the DW status - now I could well be wrong as I too missed the webinar.

in the email I got from Nominet today, stating that DW pilot had gone live, in the "What action do I need to take?" section, it just states...

Quote

• Registrars should ensure their systems can accommodate the new “workflow commenced” notification reason that is now in production.
• New type: notification reason: <msg>Domain Watch process commenced notification</msg>
• For more information about our tools that are available to help all .UK registrars to combat cybercrime on domains managed by them, or if you have any questions, please contact us

as I said previously, with it being just a trial at the moment, I would imagine that this won't be high on any WHMCS development plans in the near future.

[redit]

Hi @brian!

I'm guessing you and I are both reading the same eMail.

19 hours ago, brian! said:

my reading of DW is that it's acting independently of the renewal process, and a message is triggered when a domain becomes suspended by it, not in a reaction to a renewal or at registration time or a domain sync... e.g you can't query the DW status - now I could well be wrong as I too missed the webinar.

If this is then the case would not the Domain sync need to pick this up for us?

Again I agree that this is still a pilot and agree that maybe I'm jumping the gun in trying to get this added but would have 'liked' WHMCS to have it on the radar so to speak.

 

[brian!]

Hi @redit

2 hours ago, redit said:

I'm guessing you and I are both reading the same eMail.

looks like it.

2 hours ago, redit said:

If this is then the case would not the Domain sync need to pick this up for us?

that really depends if DW status can be queried in that sense - interestingly, I don't know how domain sync would react to a suspended .uk domain... must have a play with that one day (I don't use the default DomSync)... a DW-affected domain will be suspended, but whether it gives DW as the reason, or what the status is changed to in tbldomains, I don't know.

perhaps, now that the AGM is over, they'll start publishing any videos from the event and the previous webinars.

2 hours ago, redit said:

Again I agree that this is still a pilot and agree that maybe I'm jumping the gun in trying to get this added but would have 'liked' WHMCS to have it on the radar so to speak.

with regards to WHMCS and Nominet, the biggest weapon we have are enforced deadlines.... so the main (only?) reason that WHMCS are making the TLS 1.2 change NOW is because it's being forced upon them by Nominet as there is a deadline they have to meet (first week of September 2018 if memory serves)... without that deadline, they'd have probably gotten around to such a change, but at their usual development pace.... WHMCS have missed Nominet deadlines in the past with their updates - oh what fun that was!

for something like DW, which is a pilot, it's a very niche issue for WHMCS (e.g only affecting Nominet module users, and only concerns the suspension of domains in hopefully rare phishing circumstances) - hence why John suggested the feature request route... if you created such a request, i'd raise an eyebrow if it got more than 5 votes in those six months of the pilot... my jaw might drop if it got over ten!

that doesn't mean you shouldn't create a request, just do so with low expectations of a positive end result occurring soon.

I suppose if the DW status is returned in a domain sync, then the feature has got more likelihood of being added to the core program... if it doesn't, and any feature request gets a low number of votes, then I wouldn't realistically expect it to be added... but only Nominet will ultimately decide that.

[brian!]

here's the video of the Nominet Domain Watch webinar...

[redit]

Thanks @brian! I'll watch it when I get a few minutes to myself

[Chris74]

Does anyone know if it's ok to upload the 7.6 Nominet module to a 7.5 installation? I'm not ready to update to 7.6 yet and I missed the notifications about the TLS 1.2 requirement.

 

Edit... That appears to have worked so far.

Edited September 4, 2018 by Chris74

[Bertie]

Has this got to do anything with why today we are getting the following:

Registrar Error
Connecting to tls://epp.nominet.org.uk:700.
The error message was '' (code 0)

Still using 7.5 at the moment. Was working fine yesterday and typically it would indicate a firewall problem but this has been double checked. 

Edit: Looks like that is the case. Is it safe to do what Chris did above? Not ready to move to 7.6 at the moment?

Edited September 4, 2018 by Bertie

[redit]

The Nominet TLS Strengthening is not due to come into place until 1600hrs today so I would guess that this could be something else.

Or Nominet have done this earlier than planned which is not like them at all.

As for the Nominet Module with v7.5 it should be fine as I would of thought that as long as your system is able to use the TLS 1.2 ciphers the handshake and communications event will still happen.

 

[Bertie]

12 minutes ago, redit said:

The Nominet TLS Strengthening is not due to come into place until 1600hrs today so I would guess that this could be something else.

Or Nominet have done this earlier than planned which is not like them at all.

As for the Nominet Module with v7.5 it should be fine as I would of thought that as long as your system is able to use the TLS 1.2 ciphers the handshake and communications event will still happen.

 

It seems they may have done it earlier because I uploaded the Nominet module from 7.6 and uploaded it on 7.5 and it started working straight away again. 

[redit]

I'm sorry but it look like my original post was wrong (and I even had it in the diary for 1600hrs tonight)

Quote

From 4 September 2018 you will need to use TLS 1.2 for your EPP connections and connections attempted using lower TLS levels will fail.

https://info.nominet.uk/4CYI-BVAE-54XJZRH76/cr.aspx

Looks like the update was done this morning between 0800 & 0900 BST

I can only say I'm sorry for the incorrect information but I'm glad that you got it sorted.

 

[Bhondawe30]

Hi @redit

Thanks for the answer, It will be helpful for me.