On 16 Oct 2019, at 6:10 am, Arnt Gulbrandsen
<arnt(_at_)gulbrandsen(_dot_)priv(_dot_)no> wrote:
On Tuesday 15 October 2019 18:52:18 CEST, Hector Santos wrote:
I wish I understood more of this discussion and "basic problem," if any,
It's this: if someone were to tell the .com registry that starting
immediately, they wish to sign domain hsantos.com and will the .com registry
please include the necessary RRs in .com, how would the .com registry know
whether to trust that someone?
Once the domain is signed and the records are in .com, there's a fine
mechanism that anyone can use to check whether that someone actually controls
hsantos.com. But what about the initial inclusion of the signature-related
records in the .com zone?
There are ways, sometimes at least. For example, if it's done when the domain
is initially registered, then it's clear that the registrant actually is the
registrant. But initiating trust is a difficult problem if you want to solve
it generally.
Well when the delegation was initially registered credential where exchanged
even if that was a user name / password pair. This allowed NS records and
glue address records to be updated securely. Updating/adding DS records is no
different. You use the existing mechanisms, initially this was talking to the
registry directly. These days it is intermediated through a registrar.
Or did you think anyone could change NS records for hsantos.com?
Mark
Arnt
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp