On Fri, Jun 14, 2019 at 3:02 PM Rubens Kuhl <rube...@nic.br> wrote: > > > On 13 Jun 2019, at 23:56, Nick Johnson <n...@ethereum.org> wrote: > > On Fri, Jun 14, 2019 at 2:51 PM Rubens Kuhl <rube...@nic.br> wrote: > >> >> >> On 13 Jun 2019, at 23:18, Nick Johnson < >> nick=40ethereum....@dmarc.ietf.org> wrote: >> >> I'm working on a system that needs to authenticate a TLD owner/operator >> in order to take specific actions. We had intended to handle this by >> requiring them to publish a token in a TXT record under a subdomain of >> nic.tld, but it's been brought to our attention that we can't rely on >> nic.tld being owned by the TLD operators - this is only a reserved domain >> on ICANN new-gTLDs, not on ccTLDs or older gTLDs. >> >> An alternative is to require a message signed by the TLD's DNSSEC zone >> signing key, but I'm uncertain whether it's practical for TLD operators to >> sign arbitrary messages using their keys. >> >> Are there domains that are globally reserved for the operator across all >> TLDs? If not, does anyone have any recommendations on an alternative >> authorisation or authentication mechanism? >> >> >> All TLDs have admin and tech contacts published at >> https://www.iana.org/domains/root/db/[TLD].html (or port-43 WHOIS if you >> prefer) ; send e-mail to both of them, both need to be clicked to confirm >> TLD ownership. >> After that, use whatever mutual authentication system you feel like >> using. >> > > That would work, but we'd rather use a mechanism that can be publicly > verified by anyone. > > > Like sending an e-mail to a mailman list archive after the process is > completed ? >
Email isn't terribly secure - a mailmain list doesn't prove the email really existed, or was sent by the purported senders. > > > Rubens > > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
