It does seem that domain relationship management would be a useful capability,
especially as it relates to phishing or other spoofing attacks.
SS 5.2 DNSSEC (and elsewhere) indicates that signatures are NOT required. This
section, however, seems to give a good reason that maybe they SHOULD be
required, or at minimum strongly encouraged, and that bidirectional
relationship agreement MUST exist (signed or unsigned) to be valid.
Granted, the Introduction specifically states that “[i]t is not a goal of this
specification to provide a high-level of assurance as to whether or not two
domains are definitely related…”, but why would anyone read/consider/trust
unsigned relationships (except maybe a quick turn research thing)? Using
“SHOULD”, rather than leaving it open, seems to make this much more valuable.
That said, however, I will defer to those better informed and engaged.
The following minor (typos, misspelling, etc.) items were found:
* SS 1.2. Relating-domain --> "declarating" should be replaced, probably
with “declaring”
* SS 5.1 Efficiacy of signatures --> “Efficiacy” should be replaced,
probably with “Efficacy”
Pavel Ivanov
Neustar UltraDNS Developer
Message: 3
Date: Tue, 3 Mar 2020 19:11:32 +0000
From: "Brotman, Alex" <[email protected]>
To: "[email protected]" <[email protected]>
Cc: Stephen Farrell <[email protected]>
Subject: [DNSOP] RDBD (Related Domains By DNS)
Message-ID:
<sn6pr11mb263815a3157874070be86908f7...@sn6pr11mb2638.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Hello,
A while ago, Stephen and I had sent out a few versions of this, and we had
some discussions and revisions were made. At the time, discussion waned,
however I wanted to pick this up again before the onset of IETF107.
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-brotman-rdbd/__;!!N14HnBHF!pkAt3oSFWKc3AJCnGWWSFQGM-bOsfa9K5ma5B5pV4CxsrfhrbANbUxxEVse1f8WaJsvx2EY$
I've had some folks contact me privately, and I saw an inquiry on another
list. There does seem to be some interest, at least in the anti-abuse and
research communities, of making this a functional proposition.
To recap, the rough idea is that implementers would be able to positively
or negatively confirm relationships between domains. In the world of
anti-abuse and research, these links are not always obvious. For example, in a
large corporation, some teams may go outside acceptable practice and register a
domain through another provider. Or it may be that you have international
branches that operate on a different TLD, but you may not have registered with
all TLDs. In the latter case, being able to both positively and negatively
state a relationship could be useful for anti-spam/phishing.
Any questions or comments would be greatly appreciated. Thank you.
--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
