Re: [DNSOP] Verifying TLD operator authorisation
Rubens Kuhl <rubensk@nic.br> Fri, 14 June 2019 02:51 UTC
Return-Path: <rubensk@nic.br>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D3C3120139 for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.br
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xc3hesQhNFys for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:51:12 -0700 (PDT)
Received: from mail.nic.br (mail.nic.br [IPv6:2001:12ff:0:4::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2C44120118 for <dnsop@ietf.org>; Thu, 13 Jun 2019 19:51:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.nic.br (Postfix) with ESMTP id 4786B16B8F2; Thu, 13 Jun 2019 23:51:07 -0300 (-03)
X-Virus-Scanned: Debian amavisd-new at mail.nic.br
Authentication-Results: mail.nic.br (amavisd-new); dkim=pass (1024-bit key) header.d=nic.br
Received: from mail.nic.br ([127.0.0.1]) by localhost (mail.nic.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUpMyZTdMw2D; Thu, 13 Jun 2019 23:51:03 -0300 (-03)
Received: from [IPv6:2804:431:9701:7e6c:bde8:4e13:d4ac:d139] (unknown [IPv6:2804:431:9701:7e6c:bde8:4e13:d4ac:d139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rubensk@nic.br) by mail.nic.br (Postfix) with ESMTPSA id 29DE816B8EF; Thu, 13 Jun 2019 23:51:03 -0300 (-03)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.br; s=dkim; t=1560480663; bh=vGAiUmp9G6OSnc0crBoMlO9Bkv8euiNL2xoNEyD/5uk=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=KNtRlhRKNKTqEia7BBPCUVcNzEPxpnPzPY4eqPw9lVfj/DDkrAglnotUtaBhMKt91 0nuYzzdhbF3JJy9VqLb9c4qPaPLqnSobsnCDZUMrwmAakNexN+WLVDoJYUyE2ikLEr nqbLvUtKOQnW6NFBLONbqrPHViJTBBFO+Eu4NG8U=
From: Rubens Kuhl <rubensk@nic.br>
Message-Id: <945F9411-C904-4CFF-BF67-4808447ED787@nic.br>
Content-Type: multipart/signed; boundary="Apple-Mail=_FE1DE0E7-4FC1-477A-AB74-ED92DAC680C3"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 13 Jun 2019 23:51:02 -0300
In-Reply-To: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
Cc: dnsop@ietf.org
To: Nick Johnson <nick=40ethereum.org@dmarc.ietf.org>
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
DMARC-Filter: OpenDMARC Filter v1.3.1 mail.nic.br 29DE816B8EF
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DQEjRQzAafeGoMckNTt5GxSTe9g>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 02:51:14 -0000
> On 13 Jun 2019, at 23:18, Nick Johnson <nick=40ethereum.org@dmarc.ietf.org> wrote: > > I'm working on a system that needs to authenticate a TLD owner/operator in order to take specific actions. We had intended to handle this by requiring them to publish a token in a TXT record under a subdomain of nic.tld, but it's been brought to our attention that we can't rely on nic.tld being owned by the TLD operators - this is only a reserved domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs. > > An alternative is to require a message signed by the TLD's DNSSEC zone signing key, but I'm uncertain whether it's practical for TLD operators to sign arbitrary messages using their keys. > > Are there domains that are globally reserved for the operator across all TLDs? If not, does anyone have any recommendations on an alternative authorisation or authentication mechanism? All TLDs have admin and tech contacts published at https://www.iana.org/domains/root/db/[TLD].html <https://www.iana.org/domains/root/db/%5BTLD%5D.html> (or port-43 WHOIS if you prefer) ; send e-mail to both of them, both need to be clicked to confirm TLD ownership. After that, use whatever mutual authentication system you feel like using. Rubens
- [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Joe Abley
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Rubens Kuhl
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Rubens Kuhl
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Shane Kerr
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Dr Eberhard W Lisse
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Vladimír Čunát
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Bjarni Rúnar Einarsson
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Shane Kerr
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Joe Abley
- Re: [DNSOP] Verifying TLD operator authorisation Mark Andrews
- Re: [DNSOP] Verifying TLD operator authorisation Tim Wicinski
- Re: [DNSOP] Verifying TLD operator authorisation Matthew Pounsett
- Re: [DNSOP] PSD records, was Verifying TLD operat… John Levine
- Re: [DNSOP] PSD records, was Verifying TLD operat… Tim Wicinski
- Re: [DNSOP] PSD records, was Verifying TLD operat… John R Levine
- Re: [DNSOP] Verifying TLD operator authorisation Vittorio Bertola