Re: [DNSOP] Verifying TLD operator authorisation

Wed, 19 Jun 2019 15:46:33 -0700 

On 19 Jun 2019, at 18:28, Nick Johnson <nick=40ethereum....@dmarc.ietf.org> 
wrote:

> On Tue, Jun 18, 2019 at 10:15 PM Bjarni Rúnar Einarsson <b...@isnic.is 
> <mailto:b...@isnic.is>> wrote:
> The SOA record for a TLD contains two DNS names which should be
> under the control of the NIC: that of the primary master
> nameserver, and the e-mail of the responsible administrator
> (which includes a domain name).
> 
> This seems like an excellent idea - thanks! I'll wait to see what others have 
> to say.

I think you could probably build a heuristic around MNAME and RNAME that would 
work at least most of the time. However, there's no definitive identifier and 
there will always be exceptions you have to work around. Sometimes MNAME 
relates to a back-end registry provider, sometimes to a registry operator, and 
sometimes something else entirely. Ditto RNAME.

> I think I addressed this upthread: If someone has the ability to change a 
> zone's DNS records and generate valid DNSSEC signatures for them (which we 
> will be requiring and verifying), they're sufficiently 'in control' of the 
> zone that I'm comfortable treating them as the authorised user. If someone 
> malicious has that control, the TLD owner has much larger problems.

The organisation that generates the SOA/NS/A/AAAA RRSets in a delegation-only 
TLD zone is not always the same organisation that signs it. Also, not all 
signatures in a zone can be guaranteed to have been created by the same 
organisation. Also, not all TLDs are signed.

The contacts that the IANA relies upon to authorise changes for TLD operators 
can be found at whois.iana.org <http://whois.iana.org/>, for what that's worth, 
or in due course at the RDAP server specified in the object 
<https://data.iana.org/rdap/dns.json <https://data.iana.org/rdap/dns.json>>. 
But if you're looking for something reliable you can validate using DNSSEC, I 
think you're out of luck.


Joe

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to