Resolution against unowned domains

I was playing around with migrating/releasing domains and hit an interesting situation.

I released a domain that had previously been configured with a resolver, but noted this did not update the information in the registry regarding ownership and resolver. So the domain continued to resolve.

Of course, as the domain is unowned it could easily be registered by anyone and the resolution changed. This feels to me to be a bit of a security concern.

It’s easy enough to check if the domain is still registered as part of client-side resolution, but should this be something that is mandated for compliant clients? Highlighted as best practice? Or just ignored as too esoteric to worry about?

Yup, this has been an issue since day 1. We could code the registrar to delete the resolver record when a domain is released, but that wouldn’t fix it for subdomains. It’s actually more of an issue with the new registrar, because you can’t delete an expired domain - it’s just open for anyone else to register.

My own view so far has been that there’s no harm in allowing expired domains to continue to have resolvers, as long as their owners are aware that they’re expired. Communicating that is something we need to do as clearly as possible.

Resolvers can check the registrar and refuse to resolve domains that are expired. That’s definitely an improvement from a security POV, but it also requires special-casing lookups for .eth, and hardcoding in dependency on the registrar, which isn’t a great solution.