> On 13 Jun 2019, at 23:18, Nick Johnson <nick=40ethereum....@dmarc.ietf.org> > wrote: > > I'm working on a system that needs to authenticate a TLD owner/operator in > order to take specific actions. We had intended to handle this by requiring > them to publish a token in a TXT record under a subdomain of nic.tld, but > it's been brought to our attention that we can't rely on nic.tld being owned > by the TLD operators - this is only a reserved domain on ICANN new-gTLDs, not > on ccTLDs or older gTLDs. > > An alternative is to require a message signed by the TLD's DNSSEC zone > signing key, but I'm uncertain whether it's practical for TLD operators to > sign arbitrary messages using their keys. > > Are there domains that are globally reserved for the operator across all > TLDs? If not, does anyone have any recommendations on an alternative > authorisation or authentication mechanism?
All TLDs have admin and tech contacts published at https://www.iana.org/domains/root/db/[TLD].html <https://www.iana.org/domains/root/db/%5BTLD%5D.html> (or port-43 WHOIS if you prefer) ; send e-mail to both of them, both need to be clicked to confirm TLD ownership. After that, use whatever mutual authentication system you feel like using. Rubens
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
