[DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt

John Levine <johnl@taugh.com> Tue, 09 July 2024 21:24 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99E80C14F6E9 for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2024 14:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="R0M7t1T5"; dkim=pass (2048-bit key) header.d=taugh.com header.b="ENxO1ZQq"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lj2h-VwmiIWD for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2024 14:24:10 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9FD0C1E0449 for <dnsop@ietf.org>; Tue, 9 Jul 2024 14:23:59 -0700 (PDT)
Received: (qmail 7348 invoked from network); 9 Jul 2024 21:23:57 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=1cb1668daa6d.k2407; bh=7SD4uTL/sZSVOQJZhiVF2yasNIM32q3yZGUykQnIlrg=; b=R0M7t1T5cnI/qkjDLoNhWnJn2waWxINcIzAYqUJnMUg6j+CkXuGPbQ3DkW5agT7dB/pzlIt0dfoHZ0EsfOX+3Ct2DN/nzqM+f2a5Wg6T+t7AKfQdKyKLVvl6e4y3khzYr/Rm697qLCgIxlDb8l48lQDx+0zCZsqQTzKp7HSiUuajVSSI6o79i2Ro6z9ysAZXqRrpo8zdL63Y+yJakFn7uPWvRtMP7NS455CiNHCNGevY+HBRS+DoHPRh46tARCJGJkxCoSqZiveUVyVK+0ctZ86vwwCVZ7ykmggEaZ+6yRRyt7DVmWpw3yYN1D8kaIH9bxd49Jd3LYbB1D4gCO3Y5Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=1cb1668daa6d.k2407; bh=7SD4uTL/sZSVOQJZhiVF2yasNIM32q3yZGUykQnIlrg=; b=ENxO1ZQqfNcZ4wKjZC8GG44uvTz47c0afcAzHCPQ1s7XBCBEL4sXHWCYlpsEt947SqiC2hPMyaWCiR99BI2KoX/scqS2b9FuZlpNt93DHPXHLveRqJROGDC26UugM+Yhc/ntSUh755s4ybgJcFNoTvZqVeCbdnFiRk9tcDqcZsIPVPFIsj9H5xv6w/ygpCnc6New20aG4zpIoF+koaJ5IMxOoTxEIB4S5sNzDFJ+VrdsZWxL4mL10VdVRdIDiaP/eganBmQuq3xsyGXjhiVZxEFSuXcHanUM3X1MIA690Ftdro+uv2q4yk2NtAc/8XZC3Qg0lZkDdpKNyxVgF84LKA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 09 Jul 2024 21:23:56 -0000
Received: by ary.qy (Postfix, from userid 501) id 43B838F44515; Tue, 9 Jul 2024 17:23:55 -0400 (EDT)
Date: Tue, 09 Jul 2024 17:23:55 -0400
Message-Id: <20240709212356.43B838F44515@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com>
Organization: Taughannock Networks
References: <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h> <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com>
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Message-ID-Hash: ZNVTDDDM2QH7WNHP5SUMUMBEKTIF5FE5
X-Message-ID-Hash: ZNVTDDDM2QH7WNHP5SUMUMBEKTIF5FE5
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tjw.ietf@gmail.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6We1DepqtfGOpPEsWJRIc09WDdU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

It appears that Tim Wicinski  <tjw.ietf@gmail.com> said:
>This is one of those DNSOP documents that may not be relevant to those who
>implement DNS, or those who operate DNS infrastructure. It is relevant to
>Applications that use the DNS, and those who focus on what actually DNS
>records exist in zones.

I took a look and it is indeed greatly improved. Here are some
implementation issues that may or may not be worth addressing:

It says to put everything in a text record which is fine, but it
doesn't say anything about how to encode it. There are two competing
approaches. One says that the string boundaries in the record don't
matter, so combine all of the strings into one string. The other is to
treat each string as a token or expression, and the string boundaries
are the token or expression boundaries. The examples suggest the
former way, but it should say so. Alternatively, people checking
domain verification records need to say which way they're doing it.

Wildcards can cause some annoying problems, notably that a wildcard
will match any tagged name so queries for tagged names can get junk
answers.  

A) Should verification records have a tag at the front of the data to
identify the record type? There's plenty of prior art for this, e.g.,
the 63 text records at stanford.edu. Or you might say that a
sufficiently long random token in the interesting part will prevent
false positives so there's no need.

2) If you put records at a tagged name that is supposed to be unique
and a query returns some junk records and some plausibly good records,
what do you do? Use what you can? Ignore it all because you probably
stepped on a wildcard?

Minor nit: why are the CNAME targets quoted?  I've never seen a
quoted target name and when I look at RFC 1034 it doesn't look
like it's valid.

R's,
John