[DNSOP] Verifying TLD operator authorisation
Nick Johnson <nick@ethereum.org> Fri, 14 June 2019 02:18 UTC
Return-Path: <nick@ethereum.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905D81200A1 for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:18:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ethereum.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IE8qOJKQHvo7 for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:18:16 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACD5512003E for <dnsop@ietf.org>; Thu, 13 Jun 2019 19:18:15 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id e3so1097060edr.10 for <dnsop@ietf.org>; Thu, 13 Jun 2019 19:18:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethereum.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=8I9JhyP5CQRaVbQgHy4blEx1Mr5K0D8Jy8Rts4yI7N0=; b=WGg4BnKmpcTNRk4xmNhirGIZXl/1sdnIja2oHlqbmFDxliglUlnaZBaJLXFg5nCrsQ ghWGzd3dR/ohWkozj3sggzEVqvNPA2U1QJoGG1h2aMNuGxZPAGGlctzplUXr6Jys4ev3 jfeoa9LAD2cV1KkGMt+hsyw8k7Jl5PotbIPJA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8I9JhyP5CQRaVbQgHy4blEx1Mr5K0D8Jy8Rts4yI7N0=; b=TQqsVuO7tMHRp+ggfuBO2LYIjeNWdPCEPADFCipuGVwpvBmu+YiTvuZFds9wTQBfo/ p7ivWUUXdOMCNxAuU/NvR5gqzRXHua7YYqImCtXEPz8HM5rcUCiDSwqZqzxBMgryBOTg v+TWLdTZ3V7BKPFslp2nOxOZOlCvhRRoUcptF/pou9tUl/a3LSocoHTfUPHEaYDMCvQB lYVViX0iQWUgCNRkD/sJhxg4hgxaOxW6QFSzkaeThGkqWrZlzKbs3HkWKwcFq+gVYbM1 pd0kutw3sXlCzMLVQ0IWR/c9HVZm8bgUBjczf9YEdJPPdSD3Ix2DAyht6Rqob+wtjObO 5cPQ==
X-Gm-Message-State: APjAAAUrh3+jL80kK6KAloi+G5JydH/onbusUm/byktWW0o1t/2vW7LZ abrhBnGT90agmrAiu7FzF4owX6E636R8FFAIydod9YTYV0SJgxPD
X-Google-Smtp-Source: APXvYqzcVarE+6TirT8F9hK9qe9c9/AgMR2Vwk4FAnIeCQkMV5G2HIumQoXT84PttUgE1G6IHcmHUeQ/qzQtKgCdBJY=
X-Received: by 2002:a17:906:b7d8:: with SMTP id fy24mr12985083ejb.230.1560478694108; Thu, 13 Jun 2019 19:18:14 -0700 (PDT)
MIME-Version: 1.0
From: Nick Johnson <nick@ethereum.org>
Date: Fri, 14 Jun 2019 14:18:01 +1200
Message-ID: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003e06cc058b3f4239"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AX5D3cqSTWF69pAWqu5Pn6SGXDs>
Subject: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 02:18:18 -0000
I'm working on a system that needs to authenticate a TLD owner/operator in order to take specific actions. We had intended to handle this by requiring them to publish a token in a TXT record under a subdomain of nic.tld, but it's been brought to our attention that we can't rely on nic.tld being owned by the TLD operators - this is only a reserved domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs. An alternative is to require a message signed by the TLD's DNSSEC zone signing key, but I'm uncertain whether it's practical for TLD operators to sign arbitrary messages using their keys. Are there domains that are globally reserved for the operator across all TLDs? If not, does anyone have any recommendations on an alternative authorisation or authentication mechanism? -Nick Johnson
- [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Joe Abley
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Rubens Kuhl
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Rubens Kuhl
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Shane Kerr
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Dr Eberhard W Lisse
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Vladimír Čunát
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Bjarni Rúnar Einarsson
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Shane Kerr
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Joe Abley
- Re: [DNSOP] Verifying TLD operator authorisation Mark Andrews
- Re: [DNSOP] Verifying TLD operator authorisation Tim Wicinski
- Re: [DNSOP] Verifying TLD operator authorisation Matthew Pounsett
- Re: [DNSOP] PSD records, was Verifying TLD operat… John Levine
- Re: [DNSOP] PSD records, was Verifying TLD operat… Tim Wicinski
- Re: [DNSOP] PSD records, was Verifying TLD operat… John R Levine
- Re: [DNSOP] Verifying TLD operator authorisation Vittorio Bertola