[DNSOP] Re: Request Feedback: draft-sheth-dns-integration
kowalik@denic.de Fri, 09 August 2024 13:53 UTC
Return-Path: <kowalik@denic.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD28C14F5E8 for <dnsop@ietfa.amsl.com>; Fri, 9 Aug 2024 06:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHok1bfDUMiC for <dnsop@ietfa.amsl.com>; Fri, 9 Aug 2024 06:53:01 -0700 (PDT)
Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [195.10.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89897C14F5F5 for <dnsop@ietf.org>; Fri, 9 Aug 2024 06:53:00 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4WgQN70HCSz9trN; Fri, 9 Aug 2024 15:52:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1723211575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wwfcn/z4RSaCgK7c0fA8x6tX1ulbLzBsW22sQiIXdXY=; b=EbCpGNjef2xvsCnZf9n4dbUhceY48zO2uDTXsmpJGBti+9VJRCcp4qk7UUbSGiKvqeavJR sU6pvC1tHHPxlTViqG+wkmRwBDcL+zuZVTpp5PFDbnQDUUDPQuKfdLi5/qdrEtiqSQ6UXM LIKRgbI0RSlfSXs0/sux4jYzaEIYzcJLhl8pVmpdzpXaIGbsmCygELxu70bISaQ/p4drxF MrBabxmLIc1wFy3JT+882eUL/gjPUb2qK5Q0aJCoJ7t4C4UzvYOvcfwkpxXDKDhQFAnfew S3+OdlK9IaRNYPmBkAPvq69ljEBOK7MKmCRTVY60m/9ulL2T6B0HJ+vm9bipnQ==
Message-ID: <9df18f77-8fcb-4e0c-b162-878c7d4800df@denic.de>
Date: Fri, 09 Aug 2024 15:52:52 +0200
MIME-Version: 1.0
From: kowalik@denic.de
To: "Sheth, Swapneel" <ssheth=40Verisign.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
References: <3D071AEB-07A6-45C5-8FEA-3D07EC7451AA@verisign.com>
Content-Language: en-GB, de-DE
In-Reply-To: <3D071AEB-07A6-45C5-8FEA-3D07EC7451AA@verisign.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms030308070601010708010808"
X-MBO-RS-ID: 0f7ddefeebb456208ba
X-MBO-RS-META: qt6xnmaqjftnt7hf7i8a775imqebq1d5
Message-ID-Hash: OWXBTJSQG6NDRNBJIN5JBCFWD4QCC223
X-Message-ID-Hash: OWXBTJSQG6NDRNBJIN5JBCFWD4QCC223
X-MailFrom: kowalik@denic.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Kaizer, Andrew" <akaizer@verisign.com>, "bryan@blueskyweb.xyz" <bryan@blueskyweb.xyz>, "nick@ens.domains" <nick@ens.domains>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Request Feedback: draft-sheth-dns-integration
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/24OmBYE1m-pCXzIelbWc-1CgxKQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Swapneel, This is a valuable work. Some remarks below: 4.1. Domain Name Lifecycle / 4.5. Identifier Attribution I would add any other changes to the technical configuration which might affect the integration (such as change of delegation). Also an aspect of an owner of a domain name being blocked from usage of the name at an integration should be mentioned in both cases if the ownership would change but also if the integration would not verify at all and allow blocking names as a result. One additional observation that might be mentioned is that DNS and domain registration ecosystem is currently lacking an effective mechanism of assuring this recommendation other than polling over existing protocols (WHOIS/RDAP/DNS) to figure out any change that might have happened. Even this would be limited only to visible changes and not all changes if some data would be redacted. 4.2. Domain Control Validation The draft mentions "storing evidence directly on a server referenced by a DNS domain name". Later it indicates the intention to verify that the current registrant is performing the integration. I think at least some text should be added about the level of indirection that domain control validation should accept as well as the goal of the validation. Even with the usage of DNS there is the TLD registry which actually deals with the "current registrant" and the Nameserver handling the zone which may be already controlled by other party who would be able to successfully complete the validation. Next level of indirection to a (web) server would be one additional step away from the registrant. Some integrations would just have a goal to assure technical control over the name in DNS or webserver, others would really seek to have a confirmation from the registrant, so maybe the text should account for that. The scope of the validation, which is very broadly described in ietf-dnsop-domain-verification-techniques shall also here be taken into consideration. 4.3. Completeness This part could also express a stronger wish to support all names allowed in DNS to avoid confusion and negative domain owner experience. Otherwise an integration might decide "out of technical reasons" to only support ascii domains, which won't be in line with universal acceptance efforts. 4.5. Identifier Attribution DNS hijacking is specifically mentioned, however I think this can be generalised accordingly to the control validation used. If https server is used then new possibilities of change of control over an identifier outside of DNS can be open. 4.6. Variety of DNS Management User Interfaces Domain Connect draft-kowalik-regext-domainconnect may be mentioned as one of the methods of dealing with this particular issue. Kind Regards, Pawel On 05.08.24 18:04, Sheth, Swapneel wrote: > > DNSOP, > > Just before IETF 120 we published a draft "Integration of DNS Domain Names into Application Environments: Motivations and Considerations" along with co-authors from Bluesky and Ethereum Name Service. You may have seen us socializing it at the hackathon and HotRFC or heard the request for feedback during Thursday's DNSOP session when the chairs mentioned it during the "Drafts of Note" of section. > > During IETF 120 we received a lot of good feedback around this draft and would like further feedback! Since the initial 00 version, we have changed the draft to informational and are in the process of evaluating how best to incorporate the other feedback we received. > > The goal of this draft is to provide informational guidance to communities who are trying to incorporate DNS domain names into their applications. The draft currently provides motivations for why applications opt to utilize domain names and qualities that applications should consider as they build and maintain their integrations, e.g., having processes in place to account for domain name lifecycle events or DNS protocol evolution. We would appreciate feedback on the current draft and other motivations/qualities we should consider including that would make this draft as useful as possible to these communities. > > We would be happy to take feedback here on the mailing list. > > Thanks, > Swapneel Sheth
- [DNSOP] Request Feedback: draft-sheth-dns-integra… Sheth, Swapneel
- [DNSOP] Re: Request Feedback: draft-sheth-dns-int… Ben Schwartz
- [DNSOP] Re: Request Feedback: draft-sheth-dns-int… kowalik