keys icon indicating copy to clipboard operation
keys copied to clipboard

Published 20 hours ago verified publisher icon keys-pub

Domains Should verify with DNS.

Open CitizenPrayer opened this issue 4 years ago • 3 comments

Unfortunately the only way to sign a key for a domain with keys.pub currently is via uploading a file to a server. This does not verify a domain, this simply verifies that a domain is linked to a server, in which case the server can be changed, swapped, etc. This is a security vulnerability, and ought to be corrected. Keys need to be signed in coordination with the DNS records themselves, so that servers are not involved.

CitizenPrayer avatar May 09 '20 10:05 CitizenPrayer

Should I change the "Link to Domain (https)" option to "Link to Website (https)", and then add the DNS option: "Link to Domain (dns)"?

I am sort of following what Keybase had as options for proofs.

gabriel avatar May 09 '20 18:05 gabriel

Should I change the "Link to Domain (https)" option to "Link to Website (https)", and then add the DNS option: "Link to Domain (dns)"?

This sounds awesome! Maybe the tool should only accept DNSSEC domains?

prusnak avatar May 10 '20 17:05 prusnak

@prusnak IIRC only some TLDs -- beit gTLD or ccTLD -- support DNSSEC so enforcing DNSSEC only would render certain verifications impossible.

tsujp avatar Aug 24 '20 04:08 tsujp