IETF Logo Mail Archive

Re: [DNSOP] Verifying TLD operator authorisation

Rubens Kuhl <rubensk@nic.br> Fri, 14 June 2019 02:51 UTC

Return-Path: <rubensk@nic.br>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D3C3120139 for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.br
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xc3hesQhNFys for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 19:51:12 -0700 (PDT)
Received: from mail.nic.br (mail.nic.br [IPv6:2001:12ff:0:4::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2C44120118 for <dnsop@ietf.org>; Thu, 13 Jun 2019 19:51:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.nic.br (Postfix) with ESMTP id 4786B16B8F2; Thu, 13 Jun 2019 23:51:07 -0300 (-03)
X-Virus-Scanned: Debian amavisd-new at mail.nic.br
Authentication-Results: mail.nic.br (amavisd-new); dkim=pass (1024-bit key) header.d=nic.br
Received: from mail.nic.br ([127.0.0.1]) by localhost (mail.nic.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUpMyZTdMw2D; Thu, 13 Jun 2019 23:51:03 -0300 (-03)
Received: from [IPv6:2804:431:9701:7e6c:bde8:4e13:d4ac:d139] (unknown [IPv6:2804:431:9701:7e6c:bde8:4e13:d4ac:d139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rubensk@nic.br) by mail.nic.br (Postfix) with ESMTPSA id 29DE816B8EF; Thu, 13 Jun 2019 23:51:03 -0300 (-03)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.br; s=dkim; t=1560480663; bh=vGAiUmp9G6OSnc0crBoMlO9Bkv8euiNL2xoNEyD/5uk=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=KNtRlhRKNKTqEia7BBPCUVcNzEPxpnPzPY4eqPw9lVfj/DDkrAglnotUtaBhMKt91 0nuYzzdhbF3JJy9VqLb9c4qPaPLqnSobsnCDZUMrwmAakNexN+WLVDoJYUyE2ikLEr nqbLvUtKOQnW6NFBLONbqrPHViJTBBFO+Eu4NG8U=
From: Rubens Kuhl <rubensk@nic.br>
Message-Id: <945F9411-C904-4CFF-BF67-4808447ED787@nic.br>
Content-Type: multipart/signed; boundary="Apple-Mail=_FE1DE0E7-4FC1-477A-AB74-ED92DAC680C3"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 13 Jun 2019 23:51:02 -0300
In-Reply-To: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
Cc: dnsop@ietf.org
To: Nick Johnson <nick=40ethereum.org@dmarc.ietf.org>
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
DMARC-Filter: OpenDMARC Filter v1.3.1 mail.nic.br 29DE816B8EF
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DQEjRQzAafeGoMckNTt5GxSTe9g>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 02:51:14 -0000


> On 13 Jun 2019, at 23:18, Nick Johnson <nick=40ethereum.org@dmarc.ietf.org> wrote:
> 
> I'm working on a system that needs to authenticate a TLD owner/operator in order to take specific actions. We had intended to handle this by requiring them to publish a token in a TXT record under a subdomain of nic.tld, but it's been brought to our attention that we can't rely on nic.tld being owned by the TLD operators - this is only a reserved domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs.
> 
> An alternative is to require a message signed by the TLD's DNSSEC zone signing key, but I'm uncertain whether it's practical for TLD operators to sign arbitrary messages using their keys.
> 
> Are there domains that are globally reserved for the operator across all TLDs? If not, does anyone have any recommendations on an alternative authorisation or authentication mechanism?

All TLDs have admin and tech contacts published at https://www.iana.org/domains/root/db/[TLD].html <https://www.iana.org/domains/root/db/%5BTLD%5D.html> (or port-43 WHOIS if you prefer) ; send e-mail to both of them, both need to be clicked to confirm TLD ownership.
After that, use whatever mutual authentication system you feel like using.


Rubens

v2.23.0 | Report a Bug | By Email