IETF Logo Mail Archive

Re: [ietf-smtp] [OT] (signed TLDs)

Mark Andrews <marka@isc.org> Wed, 16 October 2019 02:36 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7128F120826 for <ietf-smtp@ietfa.amsl.com>; Tue, 15 Oct 2019 19:36:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aJ-gBKQN-5Wt for <ietf-smtp@ietfa.amsl.com>; Tue, 15 Oct 2019 19:36:33 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75BFB120819 for <ietf-smtp@ietf.org>; Tue, 15 Oct 2019 19:36:33 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 306CF3AB009; Wed, 16 Oct 2019 02:36:32 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1F36B160066; Wed, 16 Oct 2019 02:36:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 05C9A160068; Wed, 16 Oct 2019 02:36:32 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id u03BgkOHwJOs; Wed, 16 Oct 2019 02:36:31 +0000 (UTC)
Received: from [1.0.0.3] (n1-40-244-161.bla1.nsw.optusnet.com.au [1.40.244.161]) by zmx1.isc.org (Postfix) with ESMTPSA id 5E85B160066; Wed, 16 Oct 2019 02:36:31 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <4667cc53-63cd-4cd1-97a5-80a4f7f28fad@gulbrandsen.priv.no>
Date: Wed, 16 Oct 2019 13:36:28 +1100
Cc: ietf-smtp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C0209DF-A3FF-4FA2-991C-560EB418CD0E@isc.org>
References: <20191011160802.50C81C9B780@ary.qy> <alpine.DEB.2.20.1910141200120.8949@grey.csi.cam.ac.uk> <alpine.OSX.2.21.99999.368.1910141020460.72467@ary.local> <alpine.DEB.2.20.1910151228410.8949@grey.csi.cam.ac.uk> <5DA5F942.5030307@isdg.net> <4667cc53-63cd-4cd1-97a5-80a4f7f28fad@gulbrandsen.priv.no>
To: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/Pv8CQE-Tbx8zC3-GakbWP-nPyDc>
Subject: Re: [ietf-smtp] [OT] (signed TLDs)
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 02:36:36 -0000

On 16 Oct 2019, at 6:10 am, Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> wrote:
> 
> On Tuesday 15 October 2019 18:52:18 CEST, Hector Santos wrote:
>> I wish I understood more of this discussion and "basic problem," if any,
> 
> It's this: if someone were to tell the .com registry that starting immediately, they wish to sign domain hsantos.com and will the .com registry please include the necessary RRs in .com, how would the .com registry know whether to trust that someone?
> 
> Once the domain is signed and the records are in .com, there's a fine mechanism that anyone can use to check whether that someone actually controls hsantos.com. But what about the initial inclusion of the signature-related records in the .com zone?
> 
> There are ways, sometimes at least. For example, if it's done when the domain is initially registered, then it's clear that the registrant actually is the registrant. But initiating trust is a difficult problem if you want to solve it generally.

Well when the delegation was initially registered credential where exchanged
even if that was a user name / password pair.  This allowed NS records and
glue address records to be updated securely.  Updating/adding DS records is no
different.  You use the existing mechanisms, initially this was talking to the
registry directly.  These days it is intermediated through a registrar.

Or did you think anyone could change NS records for hsantos.com?

Mark

> Arnt
> 
> _______________________________________________
> ietf-smtp mailing list
> ietf-smtp@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-smtp

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email