IETF Logo Mail Archive

Re: [DNSOP] Verifying TLD operator authorisation

Shane Kerr <shane@time-travellers.org> Fri, 14 June 2019 07:12 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B07DB120178 for <dnsop@ietfa.amsl.com>; Fri, 14 Jun 2019 00:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GUen0JTnEkA for <dnsop@ietfa.amsl.com>; Fri, 14 Jun 2019 00:12:05 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0212312018F for <dnsop@ietf.org>; Fri, 14 Jun 2019 00:12:04 -0700 (PDT)
Received: from [2001:470:78c8:2:5cf9:35a6:7b5f:7739] by time-travellers.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <shane@time-travellers.org>) id 1hbgNV-0005iQ-JZ for dnsop@ietf.org; Fri, 14 Jun 2019 07:12:01 +0000
To: dnsop@ietf.org
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <45146059-6b1c-a967-1620-75d3de751e63@time-travellers.org>
Date: Fri, 14 Jun 2019 09:12:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tFdif0dRlheuxKdY87l3T6O4KCw>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 07:12:07 -0000

Nick,

On 14/06/2019 04.18, Nick Johnson wrote:
> I'm working on a system that needs to authenticate a TLD owner/operator 
> in order to take specific actions. We had intended to handle this by 
> requiring them to publish a token in a TXT record under a subdomain of 
> nic.tld, but it's been brought to our attention that we can't rely on 
> nic.tld being owned by the TLD operators - this is only a reserved 
> domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs.
> 
> An alternative is to require a message signed by the TLD's DNSSEC zone 
> signing key, but I'm uncertain whether it's practical for TLD operators 
> to sign arbitrary messages using their keys
If people are using HSM running in restricted environments, then getting 
them to sign arbitrary records will be hard - by design!

What you're asking for is not something that exists today, so TLD 
operators are not going to have processes for it. That means that it's 
going to be impractical (meaning "this will require process and 
engineering changes, and therefore cost money") for some (if not all) 
TLD operators.

My own advice would be to design a system that works well for the early 
adopters - whichever TLD operators you are talking to now that might be 
interested. You can add additional mechanisms later. In the end you may 
end up with a dozen or so methods, but that shouldn't be surprising 
given the diversity of TLD operators.

One final note: DNSSEC is not really designed for historical 
attestations. It's designed to give you a trustworthy view of a small 
corner the DNS *right now*. This is a completely different requirement 
from blockchain where the idea is to be able to go back to any (?) 
historical transaction and verify it. So even if you can authenticate 
that someone holds the private material for a DNSKEY today, that won't 
mean anything to someone wanting to audit that 10 years from now. In 
terms of design, you need to find some way to convert the authentication 
that you get today into a historical record (like maybe requiring that a 
significant number of people verify the authentication and put that in 
your blockchain as the historical record).

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email