On Fri, Jun 14, 2019 at 2:30 PM Joe Abley <jab...@hopcount.ca> wrote:
> On Jun 13, 2019, at 22:18, Nick Johnson > <nick=40ethereum....@dmarc.ietf.org> wrote: > > > I'm working on a system that needs to authenticate a TLD owner/operator > in order to take specific actions. > > Can you give an example of the actions? > We build and maintain ENS, a naming system based on the Ethereum blockchain. We're building a DNS integration that will permit any TLD operator to claim and operate that TLD inside ENS. To do that, we need some way for the owner or operator of the TLD to assert a public key that should have control of the TLD in our system. > > When you say "owner/operator" what exactly do you mean? > Any party authorised by the TLD owner to take actions on their behalf. The right to publish records to their zone, or to sign messages with their zone key, seems like a reasonable proxy for that. > > We had intended to handle this by requiring them to publish a token in a > TXT record under a subdomain of nic.tld, but it's been brought to our > attention that we can't rely on nic.tld being owned by the TLD operators - > this is only a reserved domain on ICANN new-gTLDs, not on ccTLDs or older > gTLDs. > > Right. > > > An alternative is to require a message signed by the TLD's DNSSEC zone > signing key, but I'm uncertain whether it's practical for TLD operators to > sign arbitrary messages using their keys. > > It does sound like a bit of a stretch. Also, not all TLDs are signed, > and some of those that are have KSKs that are constrained by process > as to how they can use, so using them for a new purpose might be > expensive. > We're okay for now with not supporting unsigned zones, but the latter seems like a definite issue. I don't have a lot of insight into how TLD operators handle their signing keys, and I'm hoping others here can offer more details on how difficult this might be. > > > Are there domains that are globally reserved for the operator across all > TLDs? > > The zone apex is the only owner name you can rely upon always > corresponding to a particular TLD, but don't expect it to be simple to > publish new and exciting things there in all cases. > Indeed - it's my understanding that ICANN forbids publishing anything to the root zone other than necessary records such as SOA, NS and DNSKEY. > > If not, does anyone have any recommendations on an alternative > authorisation or authentication mechanism? > > It's hard to make a useful suggestion without understanding what > you're trying to accomplish. > > > Joe >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
