> On 26 Feb 2019, at 14:46, Tony Finch <d...@dotat.at> wrote: > > Rubens Kuhl <rube...@nic.br> wrote: >> >> I imagine that DNS as a communication channel to assure registrant >> willingness to change something, similar to CDNS/CDNSKEY, could be quite >> useful. For instance, if the name servers that are delegated on the >> registry are now pointing to new name servers, and this response is >> signed by the current DS/DNSKEY on the delegation, changing the DNS >> servers for that domain is pretty safe. > > There is RFC 7477 CSYNC, but I don't know of any implementations.
It's possibly something in that direction, but CSYNC sounds a bit more complicated by requiring support of a new RR-type on the user-side. Using the same existing RRs would make it easier for end-user adoption. I believe an OOB mechanism signalling the user intent of changing name server or in-bailwick glue records, with registry then fetching those records, would have more traction. The nature of that OOB would be policy-realm dependent; for some TLDs it could be as easy as flushing recursive DNS cache (https://developers.google.com/speed/public-dns/cache , https://www.verisign.com/en_US/security-services/public-dns/dns-cache/index.xhtml , https://cachecheck.opendns.com/), for some it might require a domain:update transaction from registrar. In all cases, any name server change not coming from a synchronous EPP transaction should trigger a poll message informing the name servers have been changed and to which ones. This is likely something to regext to work on, possibly augmenting the existing draft-ietf-regext-change-poll- or using it as it is. Security-wise, considering the limited adoption of DNSSEC, for non-signed delegation one alternative would be using only TCP queries to verify the new records. This is far from perfect, but counters some threat vectors. Rubens
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
