On Fri, Jun 14, 2019 at 2:51 PM Rubens Kuhl <rube...@nic.br> wrote: > > > On 13 Jun 2019, at 23:18, Nick Johnson <nick=40ethereum....@dmarc.ietf.org> > wrote: > > I'm working on a system that needs to authenticate a TLD owner/operator in > order to take specific actions. We had intended to handle this by requiring > them to publish a token in a TXT record under a subdomain of nic.tld, but > it's been brought to our attention that we can't rely on nic.tld being > owned by the TLD operators - this is only a reserved domain on ICANN > new-gTLDs, not on ccTLDs or older gTLDs. > > An alternative is to require a message signed by the TLD's DNSSEC zone > signing key, but I'm uncertain whether it's practical for TLD operators to > sign arbitrary messages using their keys. > > Are there domains that are globally reserved for the operator across all > TLDs? If not, does anyone have any recommendations on an alternative > authorisation or authentication mechanism? > > > All TLDs have admin and tech contacts published at > https://www.iana.org/domains/root/db/[TLD].html (or port-43 WHOIS if you > prefer) ; send e-mail to both of them, both need to be clicked to confirm > TLD ownership. > After that, use whatever mutual authentication system you feel like using. >
That would work, but we'd rather use a mechanism that can be publicly verified by anyone. -Nick > > > Rubens > > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
