> On 9 Jul 2019, at 10:53 pm, Ted Lemon <mel...@fugue.com> wrote: > > On Jul 9, 2019, at 12:00 AM, Mark Andrews <ma...@isc.org> wrote: >> Actually if a DNS operator is requesting that NS records pointing to them be >> removed then the TLD only need to look at the enclosing SOA of NS’s address >> records to find a valid contact. > > And how do they validate that any communication that follows is actually with > that contact?
They email the address and ensure they get back something unique from that email. 1) Check the NS is returning REFUSED for the delegated zone. 2) Email the SOA contact with a unique confirmation URL with a validity interval. 3) When the URL is clicked remove the NS record from the delegation. Optionally allow for confirmation via email. If you want to check with delegated zone’s administrators do that between steps 1 and 2. If you are worried about the SOA contact being forged require that the SOA record be signed and that it validates as secure. The DNS is a good enough introducer especially when it is signed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
