[dconn] Re: 6.4. Public Key Publication clarification
Sami Kerola <kerolasa@cloudflare.com> Thu, 12 March 2026 16:18 UTC
Return-Path: <kerolasa@cloudflare.com>
X-Original-To: dconn@mail2.ietf.org
Delivered-To: dconn@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 184A1C8F6903 for <dconn@mail2.ietf.org>; Thu, 12 Mar 2026 09:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aeG8NYLZiS5u for <dconn@mail2.ietf.org>; Thu, 12 Mar 2026 09:18:38 -0700 (PDT)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E5691C8F68EF for <dconn@ietf.org>; Thu, 12 Mar 2026 09:18:38 -0700 (PDT)
Received: by mail-qv1-xf2d.google.com with SMTP id 6a1803df08f44-89a06bc2f1bso21422546d6.1 for <dconn@ietf.org>; Thu, 12 Mar 2026 09:18:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773332318; cv=none; d=google.com; s=arc-20240605; b=chdBfbNnmjbV0CyA2Nsc+SSna+PPjBjS7EAp38jCzI49sk54lRn8o7GV5iFFyoKE0t EjTz63FdnmDjlqU3hEe0PP387QvSlrDj6Pm10CmzTqvTUcH3pj4x7gJ12PvFOZxuylXb A4awjkZcN8E7etAQTnM9giODUC35AcnA00uYF24oX/erMFIeTyhvIcZyqwPdpQS75+j6 0szKSObwiohRjQ6AF33nKZEOWDKWlUHYJrUaBHFn0+R9teEo8NLOMCvCRdGjwXUIzp4u hhM7VayF23h/uwh/GkBN0CFaQFuYTVP4kVUsG3MDEqsy8tqEIl2fOc+nWDcRougZ1bAB TVWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=9KOlIrG+F8b/psIHybBpmWN06y5svySDkYa/t26LyaQ=; fh=8AHluQ5vNatqAVQAEeILDAsfPmHM0xVXJGYfSyLgcwA=; b=OrpNphRSmsgRYuHxUIv78Rm9qPFQiVHXbtbfiyJj4z1vEIcD0fo4JPstz0VrcSJHkI gLSDUQ+1NK47urAZhn63bAqJB71MXMWOqgvcclyRA3B5NN9HiDl+xWCuU9yQIHtB1dpe qKNT7vlmEmPTsb0Dd/l7FbzVszoFLJTwJJ3ZYJXNEg5vUWA0LxPEAeHs4/hPOtgc7Uic b3OBxCiJZ79F6MsVJJ+UP0CXyBowoeQDrGYBowTjZhId2wbggswHJN1kJdp3bXQAUgj5 uwmilRf7o4p5RWXtZ2c9c2DKjUjXAE92ahOQt5zBOLvoIoOljZFKkCQ4aYGjQwm42Hta i1cQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1773332318; x=1773937118; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9KOlIrG+F8b/psIHybBpmWN06y5svySDkYa/t26LyaQ=; b=Ws8TfYq8uwbY1NeiEdVu6L7rBdvg+mi9YXKHrUmTXloBtJ2JajhI/qr3wUv/5OFfUS 5XjPOt3F6ZC8h9K2WKcCJ7UUyf4FE0WlViqozf6syVFgh9+AKsrOUAY+7orIc0ng2/6a 47MZbRK0+Y7mXsa/K+GZS3KC1tDzmAAe2IfNYP+iysn1yrf9NCfrDZygeCIxo+u7LFXN kPQ6Zb52AM5GGUspfmRwJgTSxBHR+czQKjcUvu/6/oBqbYc/fV4x7jKfi6ETUf2gKEdW /9Il4Cvbi8aGiLTy6hu82OQh6KlYsmo9h1BEOETFl9areK+qci5OaARb+V08HL4Q3hH6 P6+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773332318; x=1773937118; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9KOlIrG+F8b/psIHybBpmWN06y5svySDkYa/t26LyaQ=; b=qQLJF5oL0vpMj3qOf8QKrAOLSphkvzVMGXDV/gOiCOyeANlWOcMgDv+QvMv0FAFADo 0k0LQVdhBQ3gWNM2RersasR2tO3J7C7RYu7EBEZXv8pIr7o31586qYCv//F4656kL1wM PvRoI/nCQSQeJgHciZoQ37fDU6FVrlMOTlu99mGGw2cEweF40aQI45PZG5uNbYRhmLCC wonsfbbkHp+3tFXTj+NC4KS1FUw0USiEwPW0WxBLXhP5s1t2SNCys3RhvG/fRBwqv0Po +i2L7WwnLT/YOX6axVV3CvgRPHahXsj0k+g9XBbMeEDUZmmkQq2V7ytqkXt8wnJa3Ash BEiw==
X-Gm-Message-State: AOJu0YyWsCp9/ceNAaPgBtMLa5G8yV1Camgc3im57A+nUpREtLDYWcoU gjR4VO7c8TeXqv3+MiswQZPR33F7XR1zwlXoqpQL/WwkuC32/FpnfE3PZdujupXBUZuXeKw8sgW IItjzJaa+B290rKwILahVUoO6+K/hVBds+jwXRnN7fmXWnDgK04d76v+PAcoZ
X-Gm-Gg: ATEYQzzu5lWD+kPBfiHg1DCExHdZDH0VmaDi1qMTVG1hteverhnjcmmSKs5eBmx7wJW Az0lrVYB08KXBkjVhI2c+e2VDBQ1fldJApcnJu1b2RuY+deJqwvIuiVYKP2rwbzq+SRP7TbU59R B6QW/mLPzVaV2uDJxHeGoA+kGaHl8TTBEXdo5z8Ohq02Erx5/dvxpSBt/uGjTYwsBW4AuAY0hPD 0h8dvpczuwChVPVwY3ayAshICDRT/xrjv6b+JolzNqhIuKNcD1xxfiOfWzQchdQmI4gG6EOZQxF HxikK+Sa+yE3SApr3ehImEEN
X-Received: by 2002:a05:6214:2481:b0:890:2480:f02e with SMTP id 6a1803df08f44-89a81e23ca6mr4499496d6.28.1773332318278; Thu, 12 Mar 2026 09:18:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAEnV9zp-jQwGNEEVems5VwP-YFZRzNbEMtYUZPrB5Ni3uhutwQ@mail.gmail.com> <2a3cdbe7-dcbb-4df7-9932-d7d100f5ed6a@denic.de>
In-Reply-To: <2a3cdbe7-dcbb-4df7-9932-d7d100f5ed6a@denic.de>
From: Sami Kerola <kerolasa@cloudflare.com>
Date: Thu, 12 Mar 2026 16:18:27 +0000
X-Gm-Features: AaiRm52DdfMVryGQBaA-b9fgyYqZVf-wN_I8ixvZ2OiukHbNiDcutuSrpojo1eE
Message-ID: <CAEnV9zoAFAW+NUk81fT1hMnZ+PtC1tnYZGyBMiA+-wPO=q9JHw@mail.gmail.com>
To: Pawel Kowalik <kowalik=40denic.de@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: BEKQG77L4WN7W3FTV6BKGNTWBE3BYU5L
X-Message-ID-Hash: BEKQG77L4WN7W3FTV6BKGNTWBE3BYU5L
X-MailFrom: kerolasa@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Domain Connect <dconn@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dconn] Re: 6.4. Public Key Publication clarification
List-Id: "Domain Connect is a protocol that makes it easy for a user to configure DNS for a domain running at a DNS provider to work with a Service running at an independent Service Provider." <dconn.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dconn/Ck3EpoVOK0eNVEjZ2rgRUu3BNA8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dconn>
List-Help: <mailto:dconn-request@ietf.org?subject=help>
List-Owner: <mailto:dconn-owner@ietf.org>
List-Post: <mailto:dconn@ietf.org>
List-Subscribe: <mailto:dconn-join@ietf.org>
List-Unsubscribe: <mailto:dconn-leave@ietf.org>
On Wed, 11 Mar 2026 at 15:50, Pawel Kowalik <kowalik=40denic.de@dmarc.ietf.org> wrote: > answers inline after [PK]. Hi Pawel, Likewise, always inline. Old-fashioned email etiquette is the best. > On 11.03.26 10:17, Sami Kerola wrote: > > While working on the DNS provider side of the business I started > > checking if the synchronous public key flow works correctly here in > > Cloudflare. Here is link to the section I am talking about. > > > > https://www.ietf.org/archive/id/draft-ietf-dconn-domainconnect-01.html#section-6.4 > > > > Technically a Service Provider could publish: > > > > _key.dc.example.com. 300 IN TXT "p=1,a=RS256,d=MIIBI..." > > _key.dc.example.com. 300 IN TXT "p=2,a=RS256,d=..." > > _key.dc.example.com. 300 IN TXT "p=1,a=RS512,d=MIIBI..." > > _key.dc.example.com. 300 IN TXT "p=2,a=RS512,d=..." > > > > And that does not violate the current draft. But I doubt DNS Providers > > commonly expect a single resource containing multiple keys separated > > by different algorithms. Perhaps the specification should clarify that > > a single resource MUST NOT mix multiple algorithms. > > [PK] The intention was clearly to never publish more than one key on the > same "key" label. That is what I assumed, but I did not want to leave this open to interpretation. > The current text: > To allow for key rotation or use of multiple keys, the Service Provider > MAY publish key records at multiple hosts within "syncPubKeyDomain". The > "key" apply parameter identifies which host to query for each request > and MUST be included in the signed apply request. > > I propose to add: > > Service Provider MUST NOT publish more than one key on the same host name. I favour one hostname, one key. > > In practise key > > publishing would then look something like this: > > > > _rs256.dc.example.com. 300 IN TXT "p=1,a=RS256,d=MIIBI..." > > _rs256.dc.example.com. 300 IN TXT "p=2,a=RS256,d=..." > > _rs512.dc.example.com. 300 IN TXT "p=1,a=RS512,d=MIIBI..." > > _rs512.dc.example.com. 300 IN TXT "p=2,a=RS512,d=..." > > > > When the Service Provider generates a validation hash the algorithm > > used is known, so it should not be too much to require to the related > > pubkey resource to the downstream DNS Provider. I think that makes > > sense, any thoughs? > > > [PK] Yes. This is controlled with "key" parameter and shall be set > according to the key in use. > > There is also an aspect of "a" and "d" parameters for key fragments. > Theoretically it's not necessary to repeat them for fragment other than > 1 (p=1), but for now the draft tells that they must be equal for all > fragments (repeated) for consistency. Sounds good. I will try to make the debug tool work according to the text above. https://pkg.go.dev/github.com/kerolasa/dc-debug-pubkey And there are a couple of bits I need to flip & fiddle with the Cloudflare Domain Connect implementation, but that's closed source so I'm not going to comment further on what's up with it. Yours, Sami -- Sami Kerola https://kerolasa.iki.fi/
- [dconn] 6.4. Public Key Publication clarification Sami Kerola
- [dconn] Re: 6.4. Public Key Publication clarifica… Pawel Kowalik
- [dconn] Re: 6.4. Public Key Publication clarifica… Sami Kerola
- [dconn] Re: 6.4. Public Key Publication clarifica… Pawel Kowalik