[DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt

"Wessels, Duane" <dwessels@verisign.com> Tue, 09 July 2024 21:54 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A22FC15106C; Tue, 9 Jul 2024 14:54:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWXHcesHqy6K; Tue, 9 Jul 2024 14:54:31 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B21C4C14F712; Tue, 9 Jul 2024 14:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10226; q=dns/txt; s=VRSN; t=1720562071; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=Ozrkw4bY64PXwdc02DCHDglG5oByRUpbrad6BvU/0Gk=; b=HxAK+lF+N53SHdnaUGR/bOH8R8G7zn2GK+hJOkjY/XFg8KzifB8CALEW LS+jKgh1/dIHI03x6TDd3V8Uohsdy6CtYvSv7jGf4ij2+A7RZZxftOAiE f0/OZb8/kiULYrBmItJbeBpMaO1Y9SD/C0iJk/lYnRf08ViG81RNPkBAT HhmYgBiXIBhDkHeYunt/S774edcnY9r3LfaRF2WdLBKwxoAh9iZEiNhJN eYfT7yH+C8fzbRj8Ht+yUgGcnt/5ly8mwZAfUlGReEWj8owPevH6QHw3e ZBwGIvcgxMXiLr7WwQ/pHH8GnPLfZS2LzS0JlnpSJPsd6BgGyq2dkEUhX w==;
X-CSE-ConnectionGUID: nWLmyW4xQK6EzxaXXqAcXA==
X-CSE-MsgGUID: RgM3Ra6QQ1WjxmzTn+hH9w==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:HYZKBqNkt6ro58PvrR3XkMFynXyQoLVcMsEvi/8bNHDolHp+jmZWi jtAB3bGYazJZX+2Io4oOcnztx82DaSljYs6FVdy7S52J54hgZXOWN7Edh/9NX2bcMfOEUw25 sgXM4edfc1qRHKG/EukOOKw83cthKvTGbGiUuOaNi1/SAQ1GHZw10g9keUy3YAAbbSRChuVv dL5qtHeP1niwz1/KT1R8KOMrhpzoe7/0N89lgVWiadj4AWGxhH5da43Jb2tNym/BY5fBfb8S +fMzbq05H+f9BAoUnlMOF/GGnHmOYU+QTWzonpKR7DwxV9apS131a0gLLwQaEhWgDiTg5Z6z 9AVmN/ow+/hb63QhPxPFBJRGCxke7ZX/bbaPXj5usuWiEjecHqrz/RhDUo7J5EToP13CHtD+ ecdKTUAZRnFjPiqmNqHppJXargewLPDZMVH0kxIzS3FFe10BtfcXLqM6d5X3Tw9nNwIFvHbI OEhUmLFhb89IEXl0/z3YK7S59xE8UQTCRUE7gr9mII3/3TL1142l6fyL5zZe9OLTshPggCTo WeB5XzwRwwTbLSjJUG+HgWRapXnwWWjML86FKGk7uU4xxqM2XNVBBwZVFC2u+X/gUm7HMhHI gkJ83IExZTej3dHOeQRJTXk5ibsgyMhZjZwLwEbwAvdkvGJvgrGCzNdFmZKN4R268Q9HmUni gCEwYO5CTJj7OTFGHmQyOyZ/Gi4UcQ3wc3uRgdfFFdYvIOzyG0XpkiSJjq2OPft1rUZIRmpn nbX6nF43+hO5SIy//3T1UjdhD6xrYT+QAcw5wHGNkqo9QoRiLSNPuRE0nCFq64RRGqlZgPZ5 iRcxJDPtLxm4aylz0Rhfs1cRNlF2N7YaFUwsXY3d7E9+jKk/WKUfIw4yFlWOEdzP88YTiTia UnVtBk5zMc70KyCNPIfjyqZUqzG/IC4fTjXfqm8gulmO/CdQDS6EBRGPiZ86Ui2yRRxzvtvU XusWZ3E4X4yUcyLxRLoH7tNiedDKioWnQs/Trijp/irPCb3iNd4ht7pPXPXBt3V4p9ory3Tz PJaJvTW2yx8DsDsciDnwZc6JmAjeC1T6ZDe86S7d8apGCw/J0cMO6eLh60qfJZ92a1Z0PnS5 Xf7UUhdoLb9rSSfb1zVMTY6NeipAccXQXETZETAOX6kxHU4eour948BeoE2Zrgo8qpoyvsco /wtIJ/bXK4QFmWvFzI1V5bY97ZrKi2S3D2MLy+3XD58f74xWFmckjPjVk61nMUUNQK7s9A5u 5Wh2x/VB50ZSGxKANzfZu7qzl6tsz0Rnvl1Rw7EJdxaeUOp7oVwKiLwhfYrIsYKbAnOzTuc1 h+LDAwwpOTRrcky6tahuEyfh42zFbJhGEdKRzOe9qiscyzb5S+pxslKSuDROy7HT2Wy86KnD QlI88zB3DQ8tA4im+JB/3xDlMrSO/OHS2dm8zlZ
IronPort-HdrOrdr: A9a23:1RYrhqC+RB3+8NPlHemP55DYdb4zR+YMi2TDj3oBLSC8cqSj+/ xG785rsiMc6QxhIk3I9urhBEDtexnhHNtOkOws1NSZLXTbUQmTXeJfBOLZqlWKJ8S9zJ8+6U 4KScdD4ajLbGSS+vyV3ODXKbsdKZK8gcaVbK/lvg5QpZEDUdAZ0+5WMHfhLnFL
X-Talos-CUID: 9a23:K3yefW97a8k+pJ7yQiGVv0grPsU0TSHN9VSODl2oAFZZUZSeeXbFrQ==
X-Talos-MUID: 9a23:lpLkhgSCYMyAp0FORXTWixQ5Ds422p33N0IdlIc6vYqEFX1vbmI=
X-IronPort-AV: E=Sophos;i="6.09,196,1716249600"; d="p7s'346?scan'346,208,346";a="32362749"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.37; Tue, 9 Jul 2024 17:54:29 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.037; Tue, 9 Jul 2024 17:54:29 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
Thread-Index: AQHa0aKKJzVCsfS8C0u53eO9HP5/+bHvNOEA
Date: Tue, 09 Jul 2024 21:54:28 +0000
Message-ID: <1E8C3D2F-0F69-4A4F-B29B-C4EA9A5566F3@verisign.com>
References: <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h> <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com>
In-Reply-To: <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.600.62)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_B56ABE76-CEA4-419E-BA34-7BBEAC217C4C"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Message-ID-Hash: 5V7HHULJXFIV3QGTVFZF3LCNJ52K2YCJ
X-Message-ID-Hash: 5V7HHULJXFIV3QGTVFZF3LCNJ52K2YCJ
X-MailFrom: dwessels@verisign.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-dnsop-domain-verification-techniques@ietf.org" <draft-ietf-dnsop-domain-verification-techniques@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1X7iwauPuNAtNR8l78byzDGJawE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I read through draft-ietf-dnsop-domain-verification-techniques-05 and have a few minor comments / suggestions.



> this may result in IP fragmentation, which often does not work

While it’s true we have come to agree that fragmentation is bad for DNS, I think “often does not work” overstates the situation.  I’d say it works more often than not and I don’t see draft-ietf-dnsop-avoid-fragmentation making the case that fragmentation does not work.  


> Depending on message size limits configured or being negotiated, it
> may alternatively cause the DNS server to "truncate" the UDP response
> and force the DNS client to re-try the query over TCP in order to get
> the full response. Not all networks properly transport DNS over TCP
> and some DNS software mistakenly believe TCP support is optional
> ([RFC9210]).

I have mixed feelings about this.  While perhaps factually true, I think broken DNS-over-TCP shouldn’t be a reason for not lumping validation records together.  There are other valid reasons to avoid that practice and networks with broken DNS-over-TCP shouldn’t be coddled.


> When multiple distinct services create domain Validation Records at
> the same domain name,

services don’t create records, users/administrators do.  Maybe reword as “When multiple distinct services specify placing domain Validation Records at the same …”

> The presence of a Validation Record with a predictable domain name
> (either as a TXT record for the exact domain name where control is
> being validated or with a well-known label) can allow attackers to
> enumerate utilized set of Application Service Providers.

Not sure I buy this argument.  Doesn’t the draft recommend using predictable names anyway, just one per provider?


> 1) A domain name related to the domain name being validated 2) A
> Validation Record, either directly in RDATA or as the target of a
> CNAME (or chain of CNAMEs)

It’s not clear to me if this an “OR” list or an “AND” list?

> because base64 relies mixed case

"utilizes mixed case”?

> Application owners SHOULD consult the IANA "Underscored and Globally
> Scoped DNS Node Names" registry [UNDERSCORE-REGISTRY] to confirm
> there are no collisions with existing entries.

maybe this could be less passive as “consult … and avoid using underscore labels that already exist in the registry”?

> either the RDATA or a domain name

> The RECOMMENDED format for a Validation Record's domain name is
> 


Here and in numerous other places I think “domain name” might be better as “owner name”.  i.e.: "the owner name of a validation record"


> without having to hand over full DNS access

what is DNS access?  ;-)

> by letting the Intermediary place the random token in their DNS

in their zone?

> APIs SHOULD be used to relay instructions.

Not sure I follow this.  An API to relay instructions?

> TTL Considerations

If I were writing software to verify domain control, I probably wouldn’t use a caching resolver.  I’d just send queries to authoritative name servers to avoid caching.  The draft doesn’t seem to have any thoughts on this one way or the other?


> CNAME Records for Domain Control Validation

I think the document could be more clear or explicit that a CNAME target must exist.  i.e., a random token in the owner name of a CNAME record is not sufficient and such a CNAME whose target does not exist should be treated as a failure, right?


> Application Service Providers MAY include the random token in a
> domain name that is related to the domain name being validated. An

proposed rewording: Application Service Providers MAY specify that a random token be included in the owner name of a validation record.

DW