IETF Logo Mail Archive

Re: [DNSOP] Verifying TLD operator authorisation

Nick Johnson <nick@ethereum.org> Sat, 15 June 2019 23:35 UTC

Return-Path: <nick@ethereum.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F18D120135 for <dnsop@ietfa.amsl.com>; Sat, 15 Jun 2019 16:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ethereum.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwQuOYZ17Lvh for <dnsop@ietfa.amsl.com>; Sat, 15 Jun 2019 16:35:55 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 610B21200F8 for <dnsop@ietf.org>; Sat, 15 Jun 2019 16:35:55 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id m10so9504132edv.6 for <dnsop@ietf.org>; Sat, 15 Jun 2019 16:35:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethereum.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tRyMhTEUbbHAMGeYiniOVAKvG7MwbayhdHupSmX4NNg=; b=YXLNYezSMaUwCpLPLIf0UkM0Gm+bxXwwc6p+KjGZzyVN+v+0Fz5NWllVIFizKiY5qO mLh2jqT5s6f5eY8nrnYpPOI//UdZBFKwr6qn1ASrln6kUWRk2tGTcohDTROvgv5JNut1 EXHzrc1s7ZY0W/KiygErVKXtR40Bj1UOm41O4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tRyMhTEUbbHAMGeYiniOVAKvG7MwbayhdHupSmX4NNg=; b=rkcStBWBGhyynFbRyl+dKeh1frxDQdZJwIqamrSAwm0LEgzLT3nQ3DPbcmv9LCgZAt znboYvcC2+PBb3RaMArzFokidwcFumimJWFSQTMGjE4nQyeVUgL1kpEujGHY5nOqpUie x4KKrqNY1/Kxps5/zHPNzU7kfF9eFyn4WPPz4WmzOwfvAGtUw8ED7XphWPjCDFhRawfn BCLtt8fKUOZRpe0kT3CjDD1v4GuhJqmcK0tXXxKjGU5g8w+0lRZaRf3esb6f1I+3G1IQ /pBF444eT5ytPh2zZtGXY6gURonZ6ZjQx4jdI19NGbwww9K3utBq6BBsO1aKgdSZQlsa s1cw==
X-Gm-Message-State: APjAAAVZwmcraXA9kE32Y/at9h9Hi4cZ6IhJ6QBLe6lrVG0RORnqEetl qGNPAQliIiLdjgY+1S0yyh7h7phd4lcnKlGCvbf51/femM4/vwVW
X-Google-Smtp-Source: APXvYqwOioVGO6b2/XQWDUTA7M2bS8RgvX/ROtOOOom4yt7wW0AWCgFydG3IK7hf2k28NQUUzd7aYFBxsTtvLNzNAIw=
X-Received: by 2002:a50:91d4:: with SMTP id h20mr58050224eda.200.1560641753878; Sat, 15 Jun 2019 16:35:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com> <45146059-6b1c-a967-1620-75d3de751e63@time-travellers.org>
In-Reply-To: <45146059-6b1c-a967-1620-75d3de751e63@time-travellers.org>
From: Nick Johnson <nick@ethereum.org>
Date: Sun, 16 Jun 2019 11:35:41 +1200
Message-ID: <CAFz7pMu_QRj-Kdudm6x8=p+gGp9=Eh823Dh+48fGoS4-N3-LxQ@mail.gmail.com>
To: Shane Kerr <shane@time-travellers.org>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005c9ebd058b6539a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3--Ny5hg1ttGe1hcfNo3U9Na5oM>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jun 2019 23:35:58 -0000

On Fri, Jun 14, 2019 at 7:12 PM Shane Kerr <shane@time-travellers.org>
wrote:

> Nick,
>
> On 14/06/2019 04.18, Nick Johnson wrote:
> > I'm working on a system that needs to authenticate a TLD owner/operator
> > in order to take specific actions. We had intended to handle this by
> > requiring them to publish a token in a TXT record under a subdomain of
> > nic.tld, but it's been brought to our attention that we can't rely on
> > nic.tld being owned by the TLD operators - this is only a reserved
> > domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs.
> >
> > An alternative is to require a message signed by the TLD's DNSSEC zone
> > signing key, but I'm uncertain whether it's practical for TLD operators
> > to sign arbitrary messages using their keys
> If people are using HSM running in restricted environments, then getting
> them to sign arbitrary records will be hard - by design!
>
> What you're asking for is not something that exists today, so TLD
> operators are not going to have processes for it. That means that it's
> going to be impractical (meaning "this will require process and
> engineering changes, and therefore cost money") for some (if not all)
> TLD operators.
>
> My own advice would be to design a system that works well for the early
> adopters - whichever TLD operators you are talking to now that might be
> interested. You can add additional mechanisms later. In the end you may
> end up with a dozen or so methods, but that shouldn't be surprising
> given the diversity of TLD operators.
>

This seems like good advice - thanks!

Our backup option is of course to manually authenticate and approve each
request. However, one concern we have is that this will make it impossible
to migrate to a more automated system later, since it would presumably
require existing TLDs to add support for whatever system we come up with.


>
> One final note: DNSSEC is not really designed for historical
> attestations. It's designed to give you a trustworthy view of a small
> corner the DNS *right now*. This is a completely different requirement
> from blockchain where the idea is to be able to go back to any (?)
> historical transaction and verify it. So even if you can authenticate
> that someone holds the private material for a DNSKEY today, that won't
> mean anything to someone wanting to audit that 10 years from now. In
> terms of design, you need to find some way to convert the authentication
> that you get today into a historical record (like maybe requiring that a
> significant number of people verify the authentication and put that in
> your blockchain as the historical record).
>

I could be missing something, but I don't see this as an issue here. When a
user makes a claim supported by a DNSSEC signed record, they submit the
record and the signature, along with any keys and signatures further up the
chain of trust required to validate it. Anyone can then come back later and
verify that the request was supported by a valid chain of trust at the time
of submission.

On Sat, Jun 15, 2019 at 12:40 AM Jim Reid <jim@rfc1035.com> wrote:

>
>
> > On 14 Jun 2019, at 03:18, Nick Johnson <nick=
> 40ethereum.org@dmarc.ietf.org> wrote:
> >
> > I'm working on a system that needs to authenticate a TLD owner/operator
> in order to take specific actions. We had intended to handle this by
> requiring them to publish a token in a TXT record
>
> This assumes someone who is able to update the TLD has the authority or
> ability to change the TLD’s delegation. That’s not necessarily true. Think
> of registries who outsource their registry operations and/or DNS service to
> third parties. Such third parties might well be able to edit the zone file
> (or whatever) but that doesn’t necessarily mean the registry authorised or
> requested those changes.
>

I think that, if an outsourced registry operator is inserting DNS records
or making attestations not approved by the TLD owner, they have a problem
of much wider scope. I'm happy with a threat model that expects operators
to be faithfully executing the instructions of the TLD owners.

 On Sat, Jun 15, 2019 at 2:21 AM Stephane Bortzmeyer <bortzmeyer@nic.fr>
wrote:

> On Fri, Jun 14, 2019 at 02:38:11PM +1200,
>  Nick Johnson <nick=40ethereum.org@dmarc.ietf.org> wrote
>  a message of 173 lines which said:
>
> > Indeed - it's my understanding that ICANN forbids publishing anything to
> > the root zone other than necessary records such as SOA, NS and DNSKEY.
>
> You mean the TLD zone?


Sorry, yes I did.

v2.23.0 | Report a Bug | By Email