Re: [DNSOP] Verifying TLD operator authorisation
Shane Kerr <shane@time-travellers.org> Fri, 14 June 2019 07:12 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B07DB120178 for <dnsop@ietfa.amsl.com>; Fri, 14 Jun 2019 00:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GUen0JTnEkA for <dnsop@ietfa.amsl.com>; Fri, 14 Jun 2019 00:12:05 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0212312018F for <dnsop@ietf.org>; Fri, 14 Jun 2019 00:12:04 -0700 (PDT)
Received: from [2001:470:78c8:2:5cf9:35a6:7b5f:7739] by time-travellers.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <shane@time-travellers.org>) id 1hbgNV-0005iQ-JZ for dnsop@ietf.org; Fri, 14 Jun 2019 07:12:01 +0000
To: dnsop@ietf.org
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <45146059-6b1c-a967-1620-75d3de751e63@time-travellers.org>
Date: Fri, 14 Jun 2019 09:12:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tFdif0dRlheuxKdY87l3T6O4KCw>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 07:12:07 -0000
Nick, On 14/06/2019 04.18, Nick Johnson wrote: > I'm working on a system that needs to authenticate a TLD owner/operator > in order to take specific actions. We had intended to handle this by > requiring them to publish a token in a TXT record under a subdomain of > nic.tld, but it's been brought to our attention that we can't rely on > nic.tld being owned by the TLD operators - this is only a reserved > domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs. > > An alternative is to require a message signed by the TLD's DNSSEC zone > signing key, but I'm uncertain whether it's practical for TLD operators > to sign arbitrary messages using their keys If people are using HSM running in restricted environments, then getting them to sign arbitrary records will be hard - by design! What you're asking for is not something that exists today, so TLD operators are not going to have processes for it. That means that it's going to be impractical (meaning "this will require process and engineering changes, and therefore cost money") for some (if not all) TLD operators. My own advice would be to design a system that works well for the early adopters - whichever TLD operators you are talking to now that might be interested. You can add additional mechanisms later. In the end you may end up with a dozen or so methods, but that shouldn't be surprising given the diversity of TLD operators. One final note: DNSSEC is not really designed for historical attestations. It's designed to give you a trustworthy view of a small corner the DNS *right now*. This is a completely different requirement from blockchain where the idea is to be able to go back to any (?) historical transaction and verify it. So even if you can authenticate that someone holds the private material for a DNSKEY today, that won't mean anything to someone wanting to audit that 10 years from now. In terms of design, you need to find some way to convert the authentication that you get today into a historical record (like maybe requiring that a significant number of people verify the authentication and put that in your blockchain as the historical record). Cheers, -- Shane
- [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Joe Abley
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Rubens Kuhl
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Rubens Kuhl
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Shane Kerr
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Dr Eberhard W Lisse
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Vladimír Čunát
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Bjarni Rúnar Einarsson
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Jim Reid
- Re: [DNSOP] Verifying TLD operator authorisation Shane Kerr
- Re: [DNSOP] Verifying TLD operator authorisation Nick Johnson
- Re: [DNSOP] Verifying TLD operator authorisation Joe Abley
- Re: [DNSOP] Verifying TLD operator authorisation Mark Andrews
- Re: [DNSOP] Verifying TLD operator authorisation Tim Wicinski
- Re: [DNSOP] Verifying TLD operator authorisation Matthew Pounsett
- Re: [DNSOP] PSD records, was Verifying TLD operat… John Levine
- Re: [DNSOP] PSD records, was Verifying TLD operat… Tim Wicinski
- Re: [DNSOP] PSD records, was Verifying TLD operat… John R Levine
- Re: [DNSOP] Verifying TLD operator authorisation Vittorio Bertola