On Oct 10, 2013, at 9:34 AM, Jim Reid <[email protected]> wrote: > On 10 Oct 2013, at 16:43, Dan York <[email protected]> wrote: > >> there's nothing that DNSSEC or anything else could have done here > > Perhaps that's the case for the incidents you described Dan. > > However DNSSEC could help provide some form of two-stage authentication for > these sorts of requests. Says he hand-waving... > > Some sort of token which identifies the EPP transaction could be given a name > and entered into the zone that's getting redelegated or whatever. That RR > would need to be signed. [For bonus points, the RDATA of that RR could be > that token encrypted with the private KSK or ZSK.] The registry checks this > RR before acting on the EPP request, rejects it if something is wrong and > raises an alarm. > > This would mean an impostor would have to do more than just compromise some > registrar's control panel or send a fake fax. They would need to get access > to the zone and its keys. Which in an ideal world would be isolated from the > boxes a registrar uses to speak to the Internet or to the registry.
My hands can wave faster than yours: Don't use passwords for registrant-registrar interactions, use public key crypto. Put a copy of the public key in a new RRtype in the signed zone. When the current zone owner wants to change the key (similar to a password change), they update that record. --Paul Hoffman _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
