If y'all care what gets published in a TLD, please take a look at https://datatracker.ietf.org/doc/draft-ietf-dmarc-psd/ which is an experimental draft that will go into WGLC last call soon. This was driven by wanting to add _dmarc records into TLDs, per ICANN rules it needs to be an RFC.
Tim (Murray Kucherawy, Seth Blank and myself may have something to do with the DMARC working group management). On Wed, Jun 19, 2019 at 7:41 PM Mark Andrews <ma...@isc.org> wrote: > > > > On 20 Jun 2019, at 8:45 am, Joe Abley <jab...@hopcount.ca> wrote: > > > > On 19 Jun 2019, at 18:28, Nick Johnson <nick= > 40ethereum....@dmarc.ietf.org> wrote: > > > >> On Tue, Jun 18, 2019 at 10:15 PM Bjarni Rúnar Einarsson <b...@isnic.is> > wrote: > >> The SOA record for a TLD contains two DNS names which should be > >> under the control of the NIC: that of the primary master > >> nameserver, and the e-mail of the responsible administrator > >> (which includes a domain name). > >> > >> This seems like an excellent idea - thanks! I'll wait to see what > others have to say. > > > > I think you could probably build a heuristic around MNAME and RNAME that > would work at least most of the time. However, there's no definitive > identifier and there will always be exceptions you have to work around. > Sometimes MNAME relates to a back-end registry provider, sometimes to a > registry operator, and sometimes something else entirely. Ditto RNAME. > > > >> I think I addressed this upthread: If someone has the ability to change > a zone's DNS records and generate valid DNSSEC signatures for them (which > we will be requiring and verifying), they're sufficiently 'in control' of > the zone that I'm comfortable treating them as the authorised user. If > someone malicious has that control, the TLD owner has much larger problems. > > > > The organisation that generates the SOA/NS/A/AAAA RRSets in a > delegation-only TLD zone is not always the same organisation that signs it. > Also, not all signatures in a zone can be guaranteed to have been created > by the same organisation. Also, not all TLDs are signed. > > > > The contacts that the IANA relies upon to authorise changes for TLD > operators can be found at whois.iana.org, for what that's worth, or in > due course at the RDAP server specified in the object < > https://data.iana.org/rdap/dns.json>. But if you're looking for something > reliable you can validate using DNSSEC, I think you're out of luck. > > And if you try sending to them you find the email addresses are often > do not exist, bounce because the mailbox is full, are gatewayed to a > restricted distribution list, or just ignored. Some do work though. > My experience maybe biased because I’m always reporting problems when I > send to them and if the operator hasn’t already noticed the problem > there is a good chance the contact is also broken. > > > Joe > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
