[DNSOP] Re: Request Feedback: draft-sheth-dns-integration

kowalik@denic.de Fri, 09 August 2024 13:53 UTC

Return-Path: <kowalik@denic.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD28C14F5E8 for <dnsop@ietfa.amsl.com>; Fri, 9 Aug 2024 06:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHok1bfDUMiC for <dnsop@ietfa.amsl.com>; Fri, 9 Aug 2024 06:53:01 -0700 (PDT)
Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [195.10.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89897C14F5F5 for <dnsop@ietf.org>; Fri, 9 Aug 2024 06:53:00 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4WgQN70HCSz9trN; Fri, 9 Aug 2024 15:52:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1723211575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wwfcn/z4RSaCgK7c0fA8x6tX1ulbLzBsW22sQiIXdXY=; b=EbCpGNjef2xvsCnZf9n4dbUhceY48zO2uDTXsmpJGBti+9VJRCcp4qk7UUbSGiKvqeavJR sU6pvC1tHHPxlTViqG+wkmRwBDcL+zuZVTpp5PFDbnQDUUDPQuKfdLi5/qdrEtiqSQ6UXM LIKRgbI0RSlfSXs0/sux4jYzaEIYzcJLhl8pVmpdzpXaIGbsmCygELxu70bISaQ/p4drxF MrBabxmLIc1wFy3JT+882eUL/gjPUb2qK5Q0aJCoJ7t4C4UzvYOvcfwkpxXDKDhQFAnfew S3+OdlK9IaRNYPmBkAPvq69ljEBOK7MKmCRTVY60m/9ulL2T6B0HJ+vm9bipnQ==
Message-ID: <9df18f77-8fcb-4e0c-b162-878c7d4800df@denic.de>
Date: Fri, 09 Aug 2024 15:52:52 +0200
MIME-Version: 1.0
From: kowalik@denic.de
To: "Sheth, Swapneel" <ssheth=40Verisign.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
References: <3D071AEB-07A6-45C5-8FEA-3D07EC7451AA@verisign.com>
Content-Language: en-GB, de-DE
In-Reply-To: <3D071AEB-07A6-45C5-8FEA-3D07EC7451AA@verisign.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms030308070601010708010808"
X-MBO-RS-ID: 0f7ddefeebb456208ba
X-MBO-RS-META: qt6xnmaqjftnt7hf7i8a775imqebq1d5
Message-ID-Hash: OWXBTJSQG6NDRNBJIN5JBCFWD4QCC223
X-Message-ID-Hash: OWXBTJSQG6NDRNBJIN5JBCFWD4QCC223
X-MailFrom: kowalik@denic.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Kaizer, Andrew" <akaizer@verisign.com>, "bryan@blueskyweb.xyz" <bryan@blueskyweb.xyz>, "nick@ens.domains" <nick@ens.domains>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Request Feedback: draft-sheth-dns-integration
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/24OmBYE1m-pCXzIelbWc-1CgxKQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Swapneel,

This is a valuable work. Some remarks below:

4.1.  Domain Name Lifecycle / 4.5.  Identifier Attribution

I would add any other changes to the technical configuration which might 
affect the integration (such as change of delegation).

Also an aspect of an owner of a domain name being blocked from usage of 
the name at an integration should be mentioned in both cases if the 
ownership would change but also if the integration would not verify at 
all and allow blocking names as a result.

One additional observation that might be mentioned is that DNS and 
domain registration ecosystem is currently lacking an effective 
mechanism of assuring this recommendation other than polling over 
existing protocols (WHOIS/RDAP/DNS) to figure out any change that might 
have happened. Even this would be limited only to visible changes and 
not all changes if some data would be redacted.

4.2.  Domain Control Validation

The draft mentions "storing evidence directly on a server referenced by 
a DNS domain name". Later it indicates the intention to verify that the 
current registrant is performing the integration. I think at least some 
text should be added about the level of indirection that domain control 
validation should accept as well as the goal of the validation. Even 
with the usage of DNS there is the TLD registry which actually deals 
with the "current registrant" and the Nameserver handling the zone which 
may be already controlled by other party who would be able to 
successfully complete the validation. Next level of indirection to a 
(web) server would be one additional step away from the registrant. Some 
integrations would just have a goal to assure technical control over the 
name in DNS or webserver, others would really seek to have a 
confirmation from the registrant, so maybe the text should account for that.

The scope of the validation, which is very broadly described in 
ietf-dnsop-domain-verification-techniques shall also here be taken into 
consideration.

4.3.  Completeness

This part could also express a stronger wish to support all names 
allowed in DNS to avoid confusion and negative domain owner experience. 
Otherwise an integration might decide "out of technical reasons" to only 
support ascii domains, which won't be in line with universal acceptance 
efforts.

4.5.  Identifier Attribution

DNS hijacking is specifically mentioned, however I think this can be 
generalised accordingly to the control validation used. If https server 
is used then new possibilities of change of control over an identifier 
outside of DNS can be open.

4.6.  Variety of DNS Management User Interfaces

Domain Connect draft-kowalik-regext-domainconnect may be mentioned as 
one of the methods of dealing with this particular issue.

Kind Regards,

Pawel

On 05.08.24 18:04, Sheth, Swapneel wrote:
 >
 > DNSOP,
 >
 > Just before IETF 120 we published a draft "Integration of DNS Domain 
Names into Application Environments: Motivations and Considerations" 
along with co-authors from Bluesky and Ethereum Name Service.  You may 
have seen us socializing it at the hackathon and HotRFC or heard the 
request for feedback during Thursday's DNSOP session when the chairs 
mentioned it during the "Drafts of Note" of section.
 >
 > During IETF 120 we received a lot of good feedback around this draft 
and would like further feedback!  Since the initial 00 version, we have 
changed the draft to informational and are in the process of evaluating 
how best to incorporate the other feedback we received.
 >
 > The goal of this draft is to provide informational guidance to 
communities who are trying to incorporate DNS domain names into their 
applications.  The draft currently provides motivations for why 
applications opt to utilize domain names and qualities that applications 
should consider as they build and maintain their integrations, e.g., 
having processes in place to account for domain name lifecycle events or 
DNS protocol evolution.  We would appreciate feedback on the current 
draft and other motivations/qualities we should consider including that 
would make this draft as useful as possible to these communities.
 >
 > We would be happy to take feedback here on the mailing list.
 >
 > Thanks,
 > Swapneel Sheth