IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

John R Levine <johnl@taugh.com> Fri, 30 May 2025 20:29 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 33F232EF260D for <dnsop@mail2.ietf.org>; Fri, 30 May 2025 13:29:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="RZ4imiT3"; dkim=pass (2048-bit key) header.d=taugh.com header.b="JArBwOvA"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id svyhIgv1xbGl for <dnsop@mail2.ietf.org>; Fri, 30 May 2025 13:29:00 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 74AA52EF2608 for <dnsop@ietf.org>; Fri, 30 May 2025 13:29:00 -0700 (PDT)
Received: (qmail 1071 invoked from network); 30 May 2025 20:28:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=42c683a150b.k2505; t=1748636929; x=1748982529; bh=EuRFq6pk/dGd+8JPq6m8spmlvKm6B5tCVa4LzUGvlC0=; b=RZ4imiT3jv4yoSevSG5t0Amiduv+u9cxrqbe1ocmpUWEvrBT+0e1xfjjJJOVR1oGWNwmjK1ou5rLYYc7P6EyyChhdms1YRKnOmUBy5rq2I23VbZ8Si7bhOKl4LzcabaICirt3kSib/GnXTLbu+ip8+3wN5m8H9Zi/JLetT8JWJHRiyf6WSuPWrMZ9S+w7pvIYZDb9B/B8jyNUYMk2izwPFjFYAhUidDeLB+mg9aRE5WiX9JcOdXMeZRx0MNcCpelAFV86uUKS8EM/ThO7rtDFkiv1agAsEcUQBCcC6gPnZM8HKM7cWVTupEUrPoN11OI/hUpjBx6Gs03xxarDFUddg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=42c683a150b.k2505; bh=EuRFq6pk/dGd+8JPq6m8spmlvKm6B5tCVa4LzUGvlC0=; b=JArBwOvAvlcy8M9Q9KWK1w0LhsPI4YP819vudaKTBOztE7ZJU8aM+N5M5L/l5y10RCuRv8Pqb5jU3r3l6yHqADAhwHfdXujclwUY9dazvT9a/V6Z2B8wEd2Dlbvh4bstyD3zVGYYHFwtiHOv0ZhEG8ceuupo8Dck5DRD+cn/hMTjOiWM+MBOHZS3ngORrQJGuMimlUIoZysUGgGH0LhgnEfHpwjebMD3rIrpEBvydVju6R3RasV09oIGBURIw4DnnhriKuyT6Lx7eM15WmhldZcTktT0eUDRqotpZw83KS/C4Dig8O6cKK3p1PHU1DUuZ+wo/ipT79cfh1JnMMWNSQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 30 May 2025 20:28:59 -0000
Received: by ary.qy (Postfix, from userid 501) id EF9D6CC73B8E; Fri, 30 May 2025 16:28:58 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id BD136CC73B70; Fri, 30 May 2025 16:28:58 -0400 (EDT)
Date: Fri, 30 May 2025 16:28:58 -0400
Message-ID: <22871113-3a09-7c6a-4c01-a839708c9788@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Joe Abley <jabley@strandkip.nl>
In-Reply-To: <A730BDB0-7387-417F-92E3-B654867CA3BD@strandkip.nl>
References: <16ef83e1-3ba4-cd0a-24ee-85557e0e838e@taugh.com> <A730BDB0-7387-417F-92E3-B654867CA3BD@strandkip.nl>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: Q3QVHIPRYRTNRDN2WP5ZG5X3MNIB5F54
X-Message-ID-Hash: Q3QVHIPRYRTNRDN2WP5ZG5X3MNIB5F54
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-Ot44fUcT9tmzykz8IVEiyyEa0A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Fri, 30 May 2025, Joe Abley wrote:
> I have definitely received automated email telling me that my domain is about to be detached from a particular service because the TXT record had been removed. Other TXT records I have been removed in the interests of hygiene had no such effect.
> I agree that consistency would be better than this state of affairs.

It seems to me that a DCV in the form we use is no worse than anything 
else persistent that's going to be in the DNS.  The point of the random 
token is to show that the person publishing the DNS record is the one with 
the account to be verified, but once it's published the cat is out of the 
bag.  I don't see any way to fix that other than periodically changing the 
token, and if you're going to do that, you know where to find ACME.

> It also seems possible that there is a need for two signals: that a 
> domain is authorised to onboard to a particular service, and that a 
> domain is authorised to continue to be linked to a service.

I would guess that the chances of the places that use DCV would use two 
different signals is on the order of 0.001%.  I suppose a flag like 
expiry=indefinite rather thean exppiry=260123 could give DNS people a hint 
of which ones are OK to delete.

R's,
John

PS: The threat model for faked long term DCV seems rather implausible. 
A malicious actor is going to fool some SaaS company into continuing my 
subscription so they can steal it?  That's going to be hard to do once I 
don't pay the bill.

v2.31.3 | Report a Bug | By Email | System Status