Yes, something like that could work, but you’d have to document it. Sent from my iPhone
> On Jul 9, 2019, at 7:58 PM, Mark Andrews <ma...@isc.org> wrote: > > > >> On 9 Jul 2019, at 10:53 pm, Ted Lemon <mel...@fugue.com> wrote: >> >> On Jul 9, 2019, at 12:00 AM, Mark Andrews <ma...@isc.org> wrote: >>> Actually if a DNS operator is requesting that NS records pointing to them >>> be removed then the TLD only need to look at the enclosing SOA of NS’s >>> address records to find a valid contact. >> >> And how do they validate that any communication that follows is actually >> with that contact? > > They email the address and ensure they get back something unique from that > email. > > 1) Check the NS is returning REFUSED for the delegated zone. > 2) Email the SOA contact with a unique confirmation URL with a validity > interval. > 3) When the URL is clicked remove the NS record from the delegation. > > Optionally allow for confirmation via email. > > If you want to check with delegated zone’s administrators do that between > steps 1 and 2. > > If you are worried about the SOA contact being forged require that the SOA > record be signed > and that it validates as secure. > > The DNS is a good enough introducer especially when it is signed. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop