IETF Logo Mail Archive

Re: [DNSOP] Verifying TLD operator authorisation

Shane Kerr <shane@time-travellers.org> Tue, 18 June 2019 13:56 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F333212004B for <dnsop@ietfa.amsl.com>; Tue, 18 Jun 2019 06:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmGREFxI93ay for <dnsop@ietfa.amsl.com>; Tue, 18 Jun 2019 06:56:09 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BD8D120047 for <dnsop@ietf.org>; Tue, 18 Jun 2019 06:56:09 -0700 (PDT)
Received: from [2001:470:78c8:2:b0de:6b12:161e:5690] by time-travellers.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <shane@time-travellers.org>) id 1hdEak-0006vN-JB for dnsop@ietf.org; Tue, 18 Jun 2019 13:56:06 +0000
To: dnsop@ietf.org
References: <CAFz7pMvkQUz78Qow03RsFKHof3nrnGu3BUwUP0zstWgVtP3Msw@mail.gmail.com> <tqjbSfSi2Kv3DHpi6nBJVi2e6tCZFTdVyrKpxiud2348@mailpile> <4353B4DB-3F05-44B7-8272-A07EAF73B009@rfc1035.com>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <566ff2fe-1795-2046-8e23-46046bbf7385@time-travellers.org>
Date: Tue, 18 Jun 2019 15:56:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <4353B4DB-3F05-44B7-8272-A07EAF73B009@rfc1035.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wFkdM8mUm5uSY7PkwlpTeAsiIYw>
Subject: Re: [DNSOP] Verifying TLD operator authorisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2019 13:56:11 -0000

Jim,

On 18/06/2019 13.27, Jim Reid wrote:
> 
> 
>> On 18 Jun 2019, at 11:13, Bjarni Rúnar Einarsson <bre@isnic.is> wrote:
>>
>> The SOA record for a TLD contains two DNS names which should be
>> under the control of the NIC ...
>> People on this list can probably comment on whether my above
>> assumption is correct, and whether those are good candidates for
>> what you have in mind.
> 
> Being able to control a zone’s SOA record (or whatever) means just that. No more, no less. It doesn’t mean someone who has that ability also has the authority to change the zone’s delegation even though they can manipulate the zone contents.

You're basically arguing against ACME-style authentication.

While you are not necessarily wrong, people find the approach useful 
enough to not worry about who "really" owns a web server, and I suspect 
that a conscious decision can be made to not worry about who "really" 
owns a TLD in much the same way.

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email