> On 18 Jun 2019, at 14:56, Shane Kerr <[email protected]> wrote: > >> Being able to control a zone’s SOA record (or whatever) means just that. No >> more, no less. It doesn’t mean someone who has that ability also has the >> authority to change the zone’s delegation even though they can manipulate >> the zone contents. > > You're basically arguing against ACME-style authentication.
Shane, I’m not doing that. At least I don’t think so. ACME-style authentication is a very good thing, provided its limitations are understood. Using that to demonstrate ownership or control of some zone is not unreasonable. However using ACME-style authentication in that way doesn’t necessarily prove someone has the authority to change the delegation of that zone - more so when the zone is a TLD. All I’m saying here is it’s unwise to make that assumption or build a TLD delegation validation mechanism around it. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
