On 04/12/2017 08:11 PM, John Levine wrote:
If my suspicion is correct, has there
been thought of re-signing the DS record signed with the older private key
in a way that proves ownership through the key change?
This sounds to me like shutting the barn door after the horse is gone.
If it's important to you that your domain isn't hijacked, we all know
what to do, pick a registrar with good security and 2FA and so forth,
and monitor your own DNS with alarms if there are unauthorized changes.
Also, if we were to invent some sort of change signing, now you have
the other problem where the guy with the private key quits and takes
it with him, and you have to rebootstrap the zone somehow.
R's,
John
I wonder if the future DANE equivalent of EV type validation is DS
records at a well known location at the root of the domain (e.g.
/ds.signed) signed by a trusted third party that clients can use to
validate what is in their TLD.
The only commercial CA issued certificates I personally have any
confidence in as an end user are EV and that would give even more
confidence.
Use DANE to secure to public x.509 and when more confidence than DANE is
needed, expensive commercial CA to secure the DS records. Cheap
commercial CA wouldn't be needed because DANE already provides far more
than domain validation certs can, only DS record certs that involve
human validation would make sense, for things like banking or commerce
or major social network.
To work with more than HTTPS third party DS records could be sent with a
future version of TLS or some kind of blockchain technology.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
