On Tue, Jun 18, 2019 at 10:15 PM Bjarni Rúnar Einarsson <b...@isnic.is> wrote:
> The SOA record for a TLD contains two DNS names which should be > under the control of the NIC: that of the primary master > nameserver, and the e-mail of the responsible administrator > (which includes a domain name). > This seems like an excellent idea - thanks! I'll wait to see what others have to say. On Tue, Jun 18, 2019 at 11:28 PM Jim Reid <j...@rfc1035.com> wrote: > > > > On 18 Jun 2019, at 11:13, Bjarni Rúnar Einarsson <b...@isnic.is> wrote: > > > > The SOA record for a TLD contains two DNS names which should be > > under the control of the NIC ... > > People on this list can probably comment on whether my above > > assumption is correct, and whether those are good candidates for > > what you have in mind. > > Being able to control a zone’s SOA record (or whatever) means just that. > No more, no less. It doesn’t mean someone who has that ability also has the > authority to change the zone’s delegation even though they can manipulate > the zone contents. > > Consider a registry that outsources authoritative DNS service. For > instance one of the slave servers for .is could mess about with their copy > of the zone file. [Admittedly breaking DNSSEC validation unless they also > had access to the appropriate private key.] Modifying the SOA record > doesn’t give that misbehaving slave provider authority to go to IANA and > get the .is delegation changed even if they can make the SOA record or > whatever “look right” in support of their bogus change request. > I think I addressed this upthread: If someone has the ability to change a zone's DNS records and generate valid DNSSEC signatures for them (which we will be requiring and verifying), they're sufficiently 'in control' of the zone that I'm comfortable treating them as the authorised user. If someone malicious has that control, the TLD owner has much larger problems.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
