On Jun 13, 2019, at 22:18, Nick Johnson <nick=40ethereum....@dmarc.ietf.org> wrote:
> I'm working on a system that needs to authenticate a TLD owner/operator in > order to take specific actions. Can you give an example of the actions? When you say "owner/operator" what exactly do you mean? > We had intended to handle this by requiring them to publish a token in a TXT > record under a subdomain of nic.tld, but it's been brought to our attention > that we can't rely on nic.tld being owned by the TLD operators - this is only > a reserved domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs. Right. > An alternative is to require a message signed by the TLD's DNSSEC zone > signing key, but I'm uncertain whether it's practical for TLD operators to > sign arbitrary messages using their keys. It does sound like a bit of a stretch. Also, not all TLDs are signed, and some of those that are have KSKs that are constrained by process as to how they can use, so using them for a new purpose might be expensive. > Are there domains that are globally reserved for the operator across all TLDs? The zone apex is the only owner name you can rely upon always corresponding to a particular TLD, but don't expect it to be simple to publish new and exciting things there in all cases. > If not, does anyone have any recommendations on an alternative authorisation > or authentication mechanism? It's hard to make a useful suggestion without understanding what you're trying to accomplish. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
