> On 20 Jun 2019, at 8:45 am, Joe Abley <jab...@hopcount.ca> wrote: > > On 19 Jun 2019, at 18:28, Nick Johnson <nick=40ethereum....@dmarc.ietf.org> > wrote: > >> On Tue, Jun 18, 2019 at 10:15 PM Bjarni Rúnar Einarsson <b...@isnic.is> >> wrote: >> The SOA record for a TLD contains two DNS names which should be >> under the control of the NIC: that of the primary master >> nameserver, and the e-mail of the responsible administrator >> (which includes a domain name). >> >> This seems like an excellent idea - thanks! I'll wait to see what others >> have to say. > > I think you could probably build a heuristic around MNAME and RNAME that > would work at least most of the time. However, there's no definitive > identifier and there will always be exceptions you have to work around. > Sometimes MNAME relates to a back-end registry provider, sometimes to a > registry operator, and sometimes something else entirely. Ditto RNAME. > >> I think I addressed this upthread: If someone has the ability to change a >> zone's DNS records and generate valid DNSSEC signatures for them (which we >> will be requiring and verifying), they're sufficiently 'in control' of the >> zone that I'm comfortable treating them as the authorised user. If someone >> malicious has that control, the TLD owner has much larger problems. > > The organisation that generates the SOA/NS/A/AAAA RRSets in a delegation-only > TLD zone is not always the same organisation that signs it. Also, not all > signatures in a zone can be guaranteed to have been created by the same > organisation. Also, not all TLDs are signed. > > The contacts that the IANA relies upon to authorise changes for TLD operators > can be found at whois.iana.org, for what that's worth, or in due course at > the RDAP server specified in the object > <https://data.iana.org/rdap/dns.json>. But if you're looking for something > reliable you can validate using DNSSEC, I think you're out of luck.
And if you try sending to them you find the email addresses are often do not exist, bounce because the mailbox is full, are gatewayed to a restricted distribution list, or just ignored. Some do work though. My experience maybe biased because I’m always reporting problems when I send to them and if the operator hasn’t already noticed the problem there is a good chance the contact is also broken. > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
