IETF Logo Mail Archive

Re: [DNSOP] Verifying TLD operator authorisation

Jim Reid <jim@rfc1035.com> Tue, 18 June 2019 11:27 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F8E6120620 for <dnsop@ietfa.amsl.com>; Tue, 18 Jun 2019 04:27:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjmhbFffH8fI for <dnsop@ietfa.amsl.com>; Tue, 18 Jun 2019 04:27:51 -0700 (PDT)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01DD4120479 for <dnsop@ietf.org>; Tue, 18 Jun 2019 04:27:50 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 6353424205E6; Tue, 18 Jun 2019 11:27:48 +0000 (UTC)
From: Jim Reid <jim@rfc1035.com>
Message-Id: <4353B4DB-3F05-44B7-8272-A07EAF73B009@rfc1035.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_5D709572-CD3C-4BFD-B8D0-0D8B988C5846"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 18 Jun 2019 12:27:47 +0100
In-Reply-To: <tqjbSfSi2Kv3DHpi6nBJVi2e6tCZFTdVyrKpxiud2348@mailpile>
Cc: dnsop WG <dnsop@ietf.org>
To: Bjarni Rúnar Einarsson <bre@isnic.is>
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com> <tqjbSfSi2Kv3DHpi6nBJVi2e6tCZFTdVyrKpxiud2348@mailpile>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IYfQg3nCsgAPDlhP5fK1LNdCT0Y>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2019 11:28:02 -0000


> On 18 Jun 2019, at 11:13, Bjarni Rúnar Einarsson <bre@isnic.is> wrote:
> 
> The SOA record for a TLD contains two DNS names which should be
> under the control of the NIC ...
> People on this list can probably comment on whether my above
> assumption is correct, and whether those are good candidates for
> what you have in mind.

Being able to control a zone’s SOA record (or whatever) means just that. No more, no less. It doesn’t mean someone who has that ability also has the authority to change the zone’s delegation even though they can manipulate the zone contents.

Consider a registry that outsources authoritative DNS service. For instance one of the slave servers for .is could mess about with their copy of the zone file. [Admittedly breaking DNSSEC validation unless they also had access to the appropriate private key.] Modifying the SOA record doesn’t give that misbehaving slave provider authority to go to IANA and get the .is delegation changed even if they can make the SOA record or whatever “look right” in support of their bogus change request.

2FA on changes to TLD delegations is a good thing. However I doubt this can be done safely through a mechanism that relies on a magic token being present or absent from the TLD itself. That approach changes the threat model and introduces new attack vectors. These need careful consideration and testing. DNSSEC signing helps of course but isn’t necessarily a magic bullet: suppose the registry has also outsourced TLD signing.

v2.23.0 | Report a Bug | By Email