I'm working on a system that needs to authenticate a TLD owner/operator in order to take specific actions. We had intended to handle this by requiring them to publish a token in a TXT record under a subdomain of nic.tld, but it's been brought to our attention that we can't rely on nic.tld being owned by the TLD operators - this is only a reserved domain on ICANN new-gTLDs, not on ccTLDs or older gTLDs.
An alternative is to require a message signed by the TLD's DNSSEC zone signing key, but I'm uncertain whether it's practical for TLD operators to sign arbitrary messages using their keys. Are there domains that are globally reserved for the operator across all TLDs? If not, does anyone have any recommendations on an alternative authorisation or authentication mechanism? -Nick Johnson
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
