IETF Logo Mail Archive

Re: [DNSOP] Verifying TLD operator authorisation

Nick Johnson <nick@ethereum.org> Wed, 19 June 2019 22:28 UTC

Return-Path: <nick@ethereum.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD4D0120189 for <dnsop@ietfa.amsl.com>; Wed, 19 Jun 2019 15:28:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ethereum.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U9GT_ieCkewX for <dnsop@ietfa.amsl.com>; Wed, 19 Jun 2019 15:28:22 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66EA8120052 for <dnsop@ietf.org>; Wed, 19 Jun 2019 15:28:22 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id e3so1504723edr.10 for <dnsop@ietf.org>; Wed, 19 Jun 2019 15:28:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethereum.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=veAOxGNjFhzAdzXQC/swxED7mWLNoqltWkhIbnhpFfI=; b=Zm7GY2lxYZ3Q2JrDDwaDed+rAOtxrwTa36xwViU1uflbKSCSNXuRqV0cWPM8hvykpA sZ7VVfCfYXDUJFZ6+UYC4ouj87mcNMAN22HvAT62LmXTIS9x387YQmGYNF8OwxBjnZdi iPOWl2Gvyz6dJhwAec3kIIyUbg6zrKdqUdwcg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=veAOxGNjFhzAdzXQC/swxED7mWLNoqltWkhIbnhpFfI=; b=Ra4QslwtMHoZzZjN/IRdvb3X4Yt1Q1pqmeE6nFyvYqHbWfXP7HxDvTW0+JTFk4X0yf nJoRfEQ0KFtDt3qlRhNpvy00qLJZc8xva6n7SsKthjA9nHA7lKt7Bj/Z7EF8C3KgdSz8 PUKAzCkc5XpePrKRqrvDfBm27gar0slgOihGeGRBIcrQ4ULFImIgoRBWaXZdas9P18Eb Avlaq6KtWtfxAIL4edenl5bTpi7cZfzdmyfXIlstXIN/+FZsoQay00JMI0fuS8IsRENg Zs3GoTIVhtU1KX4uphMnTthTAcd5WZVCRGo7y3C5TGToyDdK1FsFmK6VLAoGf4KYvhPS 3h/g==
X-Gm-Message-State: APjAAAUKhhil/UUt//Ebww1r9W/J/q5xIdmtkBUdr0NmXSOa5GHhGtsP 7YYHIcl39xMC7HHy+M562XjNOQIBXPEzFSpyXmgQeQ==
X-Google-Smtp-Source: APXvYqxLrClNVJVyg4dzadQ0rGcI8PM9gMXFyXW9dEEWSX7UoXfVHtZvepVrdmwjVWxl16p4ONm5iYkAlqM9WLtiDqg=
X-Received: by 2002:a50:8dc5:: with SMTP id s5mr135488857edh.138.1560983300930; Wed, 19 Jun 2019 15:28:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com> <tqjbSfSi2Kv3DHpi6nBJVi2e6tCZFTdVyrKpxiud2348@mailpile> <4353B4DB-3F05-44B7-8272-A07EAF73B009@rfc1035.com>
In-Reply-To: <4353B4DB-3F05-44B7-8272-A07EAF73B009@rfc1035.com>
From: Nick Johnson <nick@ethereum.org>
Date: Thu, 20 Jun 2019 10:28:08 +1200
Message-ID: <CAFz7pMsAZvUybb=i50s4woCacZiFY938s-UVb5rMPSC-Fx27pw@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: Bjarni Rúnar Einarsson <bre@isnic.is>, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000271c8c058bb4bf08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GGkbvK018mQafUN1cl8p9w6IDqU>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2019 22:28:25 -0000

On Tue, Jun 18, 2019 at 10:15 PM Bjarni Rúnar Einarsson <bre@isnic.is>
wrote:

> The SOA record for a TLD contains two DNS names which should be
> under the control of the NIC: that of the primary master
> nameserver, and the e-mail of the responsible administrator
> (which includes a domain name).
>

This seems like an excellent idea - thanks! I'll wait to see what others
have to say.

On Tue, Jun 18, 2019 at 11:28 PM Jim Reid <jim@rfc1035.com> wrote:

>
>
> > On 18 Jun 2019, at 11:13, Bjarni Rúnar Einarsson <bre@isnic.is> wrote:
> >
> > The SOA record for a TLD contains two DNS names which should be
> > under the control of the NIC ...
> > People on this list can probably comment on whether my above
> > assumption is correct, and whether those are good candidates for
> > what you have in mind.
>
> Being able to control a zone’s SOA record (or whatever) means just that.
> No more, no less. It doesn’t mean someone who has that ability also has the
> authority to change the zone’s delegation even though they can manipulate
> the zone contents.
>
> Consider a registry that outsources authoritative DNS service. For
> instance one of the slave servers for .is could mess about with their copy
> of the zone file. [Admittedly breaking DNSSEC validation unless they also
> had access to the appropriate private key.] Modifying the SOA record
> doesn’t give that misbehaving slave provider authority to go to IANA and
> get the .is delegation changed even if they can make the SOA record or
> whatever “look right” in support of their bogus change request.
>

I think I addressed this upthread: If someone has the ability to change a
zone's DNS records and generate valid DNSSEC signatures for them (which we
will be requiring and verifying), they're sufficiently 'in control' of the
zone that I'm comfortable treating them as the authorised user. If someone
malicious has that control, the TLD owner has much larger problems.

v2.23.0 | Report a Bug | By Email