On Jan 22, 2025, at 10:35 AM, Ben van Hartingsveldt | Yocto <ben.vanhartingsveldt=40yocto....@dmarc.ietf.org> wrote: > 1) User goes to DNS provider and creates zone.
I think there’s a problem with step 1. A user (which is any-off-the-street-customer) is not the source of authority when it comes to control or ownership of a domain. A user “claiming ownership” could itself be abusive towards a DNS provider in the sense that the user, well-intentioned or not, is making the DNS provider do potentially needless work. If there’s ill-intent, then this could be a denial of service via resource depletion. Authority for a domain’s existence comes down from the top of the tree. In the common scenario of something like “example.com”, then it is a TLD registry that is the chief authority. If the TLD works with registrars, then registrars are in position to be “sub-“authorities for the names they manage. The flow has to be registry->registrar-if-there->DNS operator before a user can “create a zone.” The rest of the steps are means of verifying a claim in reverse, which is more work than just being able to directly consult the authority. > 2) DNS provider creates zone and gives ZDT token for that specific zone. > 3) User copies the ZDT token that is given by the DNS provider and pastes it > to some (new) field at the registrar. > 4) Registrar sends the ZDT token to the registry using EPP. (Yes, we have to > specify a EPP extension for this token.) > 5) Registry uses this ZDT token as DNS record in their superzone. > (example.com. IN ZDT "some-token-text") > 6) User goes to DNS provider and verifies zone. > 7) DNS providers checks record in the DNS zone of the registry and activates > zone when correct. > 8) User now pastes nameservers at registrar. > 9) Registrar sends nameservers using EPP to registry. > 10) Registry uses this nameservers in their superzone. The domain is now > delegated without any possibility to hijack. There’s no stopping a DNS operator from allowing a customer to run a domain that is not attached to the global public Internet DNS. Unless there’s a name collision with a domain that is attached to the global public Internet DNS, this could be done without easy detection. Aside - If there’s a name collision, then it’d be detectable but still may not be operationally impacting. Questions to DNS providers - mean those hosting zones without bundled name registration services - do they want to only serve domains registered in the global public Internet DNS tree, or host anything so long as there is no conflict, or not care at all? Do they clean up customers that have left? I’ve am thinking of a specific situation where a provider's servers answered for zones only because the provider did not de-provision a customer they lost, per the “lost customer.” I hate to beat an injured camel, but the way forward to me lies in DELEG. The registry knows best and it can encode stuff into zone cut information, including allowed DNS providers - in plural - in an explicit way. A registrant would have to indicate this via the provisioning system (whether or not EPP is the underlying protocol) when administering the zone, which might make overall provisioning easier by eliminating the need to list DS, NS, and glue records, instead pointing to some DNS operator(s) to say “use their stuff.” _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
