IETF Logo Mail Archive

[DNSOP] Verifying TLD operator authorisation

Nick Johnson <nick@ethereum.org> Fri, 14 June 2019 02:18 UTC

Return-Path: <nick@ethereum.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905D81200A1 for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:18:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ethereum.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IE8qOJKQHvo7 for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:18:16 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACD5512003E for <dnsop@ietf.org>; Thu, 13 Jun 2019 19:18:15 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id e3so1097060edr.10 for <dnsop@ietf.org>; Thu, 13 Jun 2019 19:18:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethereum.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=8I9JhyP5CQRaVbQgHy4blEx1Mr5K0D8Jy8Rts4yI7N0=; b=WGg4BnKmpcTNRk4xmNhirGIZXl/1sdnIja2oHlqbmFDxliglUlnaZBaJLXFg5nCrsQ ghWGzd3dR/ohWkozj3sggzEVqvNPA2U1QJoGG1h2aMNuGxZPAGGlctzplUXr6Jys4ev3 jfeoa9LAD2cV1KkGMt+hsyw8k7Jl5PotbIPJA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8I9JhyP5CQRaVbQgHy4blEx1Mr5K0D8Jy8Rts4yI7N0=; b=TQqsVuO7tMHRp+ggfuBO2LYIjeNWdPCEPADFCipuGVwpvBmu+YiTvuZFds9wTQBfo/ p7ivWUUXdOMCNxAuU/NvR5gqzRXHua7YYqImCtXEPz8HM5rcUCiDSwqZqzxBMgryBOTg v+TWLdTZ3V7BKPFslp2nOxOZOlCvhRRoUcptF/pou9tUl/a3LSocoHTfUPHEaYDMCvQB lYVViX0iQWUgCNRkD/sJhxg4hgxaOxW6QFSzkaeThGkqWrZlzKbs3HkWKwcFq+gVYbM1 pd0kutw3sXlCzMLVQ0IWR/c9HVZm8bgUBjczf9YEdJPPdSD3Ix2DAyht6Rqob+wtjObO 5cPQ==
X-Gm-Message-State: APjAAAUrh3+jL80kK6KAloi+G5JydH/onbusUm/byktWW0o1t/2vW7LZ abrhBnGT90agmrAiu7FzF4owX6E636R8FFAIydod9YTYV0SJgxPD
X-Google-Smtp-Source: APXvYqzcVarE+6TirT8F9hK9qe9c9/AgMR2Vwk4FAnIeCQkMV5G2HIumQoXT84PttUgE1G6IHcmHUeQ/qzQtKgCdBJY=
X-Received: by 2002:a17:906:b7d8:: with SMTP id fy24mr12985083ejb.230.1560478694108; Thu, 13 Jun 2019 19:18:14 -0700 (PDT)
MIME-Version: 1.0
From: Nick Johnson <nick@ethereum.org>
Date: Fri, 14 Jun 2019 14:18:01 +1200
Message-ID: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003e06cc058b3f4239"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AX5D3cqSTWF69pAWqu5Pn6SGXDs>
Subject: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 02:18:18 -0000

I'm working on a system that needs to authenticate a TLD owner/operator in
order to take specific actions. We had intended to handle this by requiring
them to publish a token in a TXT record under a subdomain of nic.tld, but
it's been brought to our attention that we can't rely on nic.tld being
owned by the TLD operators - this is only a reserved domain on ICANN
new-gTLDs, not on ccTLDs or older gTLDs.

An alternative is to require a message signed by the TLD's DNSSEC zone
signing key, but I'm uncertain whether it's practical for TLD operators to
sign arbitrary messages using their keys.

Are there domains that are globally reserved for the operator across all
TLDs? If not, does anyone have any recommendations on an alternative
authorisation or authentication mechanism?

-Nick Johnson

v2.23.0 | Report a Bug | By Email