How can the DNS provider decide if Alice actually wants Bob to set her DNS, or if Bob is doing it without permission?
You just shouldn't point your domain into DNS providers that aren't providing DNS for you. If you go and add them to your domain, it's reasonable for the provider to decide that what they are doing is correct.
Anything you add here (are people thinking about some hard to write TXT record? It surely looks like so) will break more things than it fixes.
Verification link sent to registrant's email address. Change not processed until verification occurs.
This is generally the level of diligence (i.e. emailed verification link) that registrars are held to. DNS providers should be held to the same when the requesting account isn't the same account that created the 'earlier' zone file for a given domain at the very same provider.
Lots and lots of people don't use their own emails on the DSN information.
Maybe we should add a requirement that the zone register sends some notification on behalf of the DNS provider. That could work, at least on the TLD level.
Registrant contact information is maintained by the registrar. The failure of a Registered Name Holder[1] to furnish up-to-date contact information with its Registrar[2] may result in the forfeiture of rights[3] up to and including the suspension or cancellation of the registration itself.[4]
Point being that, short of transfer Auth-Codes[5], a verification link sent to the registrant's email address by the DNS provider is the functional equivalent of nearly the most that a registrar may be required to do in order to contact and/or verify a registrant.
The registrant's email address is made part of the WHOIS directories, whether obfuscated by a privacy service or not. It's publicly accessible information in accordance with § 1.1(a)(i) and (a)(iv) of ICANN's stated Mission.[1]
The DNS provider absolutely can send a notification to the registrant without having to 'go through' (meanining interact with) the registrar. Even a third-party privacy service merely exists as a notification broker. Any notification sent by the DNS provider would simply pass through onto the registrant directly.
I don't trust email to be secure enough for this; they may still be going out in plaintext. How do you automate DNS nameserver updates if you are migrating hundreds of domains?
Agreed. Two big challenges. But to be clear—we're talking here only about zone file management, not registration transfer (if that's what you mean by migration).
In the case of a large-scale, multi-domain authoritative nameservers assignment change, only the DNS provider would be able to facilitate the process programmatically. And at that kind of scale (i.e. hundreds of domains), one would hope verification would not only be obtained through, but require some form of human-to-human contact coupled with thoroughly documented scope.
From what I have seen the common way to protect against this is that the DNS service assigns you a random set of DNS servers for your zone (like ns-1887.awsdns-43.co.uk, ns-378.awsdns-47.com, ns-1029.awsdns-00.org, ns-557.awsdns-05.net for reddit.com). All of these must be added to your domain registrar.
I might misunderstand something here, but essentially, the authoritative DNS provider should only need to: (1) check for existing NS records upon registration, (2) never reassign a name server matching #1, and (3) refuse to serve DNS responses from non-assigned name servers.
It seems like the vulnerable providers either respond from or assign prior NS hosts, sometimes with randomized lottery thrown in, which only reduces the takeover probability.
I believe you are correct. This is how Cloudflare fixed the issue and how every other provider could fix it. Just may be (considered) a lot of work by providers that currently throw ns01.provider.com and ns02.provider.com at everyone.
Krebs's article also mentions it:
>What did DNS providers that have struggled with this issue in the past do to address these authentication challenges? The security firms said that to claim a domain name, the best practice providers gave the account holder random name servers that required a change at the registrar before the domains could go live. They also found the best practice providers used various mechanisms to ensure that the newly assigned name server hosts did not match previous name server assignments.
You just shouldn't point your domain into DNS providers that aren't providing DNS for you. If you go and add them to your domain, it's reasonable for the provider to decide that what they are doing is correct.
Anything you add here (are people thinking about some hard to write TXT record? It surely looks like so) will break more things than it fixes.