Re: [DNSOP] Verifying TLD operator authorisation

Fri, 14 Jun 2019 00:12:53 -0700 

Nick,

On 14/06/2019 04.18, Nick Johnson wrote:
I'm working on a system that needs to authenticate a TLD owner/operator in order to take specific actions. We had intended to handle this by requiring them to publish a token in a TXT record under a subdomain of nic.tld, but it's been brought to our attention that we can't rely on nic.tld being owned by the TLD operators - this is only a reserved domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs. 


An alternative is to require a message signed by the TLD's DNSSEC zone 
signing key, but I'm uncertain whether it's practical for TLD operators 
to sign arbitrary messages using their keys

If people are using HSM running in restricted environments, then getting 
them to sign arbitrary records will be hard - by design!



What you're asking for is not something that exists today, so TLD 
operators are not going to have processes for it. That means that it's 
going to be impractical (meaning "this will require process and 
engineering changes, and therefore cost money") for some (if not all) 
TLD operators.



My own advice would be to design a system that works well for the early 
adopters - whichever TLD operators you are talking to now that might be 
interested. You can add additional mechanisms later. In the end you may 
end up with a dozen or so methods, but that shouldn't be surprising 
given the diversity of TLD operators.



One final note: DNSSEC is not really designed for historical 
attestations. It's designed to give you a trustworthy view of a small 
corner the DNS *right now*. This is a completely different requirement 
from blockchain where the idea is to be able to go back to any (?) 
historical transaction and verify it. So even if you can authenticate 
that someone holds the private material for a DNSKEY today, that won't 
mean anything to someone wanting to audit that 10 years from now. In 
terms of design, you need to find some way to convert the authentication 
that you get today into a historical record (like maybe requiring that a 
significant number of people verify the authentication and put that in 
your blockchain as the historical record).


Cheers,

--
Shane

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to