> On 13 Jun 2019, at 23:56, Nick Johnson <n...@ethereum.org> wrote: > > On Fri, Jun 14, 2019 at 2:51 PM Rubens Kuhl <rube...@nic.br > <mailto:rube...@nic.br>> wrote: > > >> On 13 Jun 2019, at 23:18, Nick Johnson <nick=40ethereum....@dmarc.ietf.org >> <mailto:nick=40ethereum....@dmarc.ietf.org>> wrote: >> >> I'm working on a system that needs to authenticate a TLD owner/operator in >> order to take specific actions. We had intended to handle this by requiring >> them to publish a token in a TXT record under a subdomain of nic.tld, but >> it's been brought to our attention that we can't rely on nic.tld being owned >> by the TLD operators - this is only a reserved domain on ICANN new-gTLDs, >> not on ccTLDs or older gTLDs. >> >> An alternative is to require a message signed by the TLD's DNSSEC zone >> signing key, but I'm uncertain whether it's practical for TLD operators to >> sign arbitrary messages using their keys. >> >> Are there domains that are globally reserved for the operator across all >> TLDs? If not, does anyone have any recommendations on an alternative >> authorisation or authentication mechanism? > > All TLDs have admin and tech contacts published at > https://www.iana.org/domains/root/db/[TLD].html > <https://www.iana.org/domains/root/db/%5BTLD%5D.html> (or port-43 WHOIS if > you prefer) ; send e-mail to both of them, both need to be clicked to confirm > TLD ownership. > After that, use whatever mutual authentication system you feel like using. > > That would work, but we'd rather use a mechanism that can be publicly > verified by anyone.
Like sending an e-mail to a mailman list archive after the process is completed ? Rubens
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
