IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Erik Nygren <erik+ietf@nygren.org> Fri, 06 June 2025 19:01 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3C8A131E76B0 for <dnsop@mail2.ietf.org>; Fri, 6 Jun 2025 12:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3y7IucOBLHCh for <dnsop@mail2.ietf.org>; Fri, 6 Jun 2025 12:01:33 -0700 (PDT)
Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B28DE31E76A9 for <dnsop@ietf.org>; Fri, 6 Jun 2025 12:01:33 -0700 (PDT)
Received: by mail-lj1-f176.google.com with SMTP id 38308e7fff4ca-32add56e9ddso15047421fa.2 for <dnsop@ietf.org>; Fri, 06 Jun 2025 12:01:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749236492; x=1749841292; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7G6hm0lQdCNCSSCur/6cfJ44/HGV4szi7LKDPjM4h1w=; b=ERh81jXKtD+LueN+gpECtlRU2knrZLCqZMwAR1PuALiWZsxtXs70uFUtlTj6r7/X8B 98mgDC5U+grmubP9jWgscJzy0apd9zsmKVfOuGPW6VfRdQcL5wtdMIyDakEHg4czgRvo o/jfe0fNDXE1t+6+ouia0pW9TeQX/e3UVG/UGqOooLukvgUkLgoNaWiUxMwX8IvQ3v1r SXNLGQi8h/1Q5yDtNT4PWiA+lrz7PwoMLl168heIXxMgIIrdEdQUDH1spw/Om6F34itT 6zwdaAPkJOeuYURb69K38m7TNePc7sOWIqpZedQpfRRTLx4eI4f5bEQHUA3fv/uUwsUY QV+Q==
X-Forwarded-Encrypted: i=1; AJvYcCXzyf1JNd3aPAnM3GV0JClJLLWAHOIgK3DuWcf/w6codtF5H+EbATX5kftW8ZBxoBmEhPorsg==@ietf.org
X-Gm-Message-State: AOJu0YxthGrBNdec9G2xWE9Z9EcyJaYqWy86RC5XkD3rqUIY/eZplb9i yRQjZJoPWd5OiPgeVETp0ZAkV7//05d51PUZDOtJA43OM+/rEWODad8xkyGV0JIlEYeteLCnwgF zoOLF6M/epzcB9tKyTI1wOCsNeiw4ix5FPDjIOXU=
X-Gm-Gg: ASbGncvoaVjvF2amS9n7pbdzHd7s2FwaomTFPTYU8NQ85zwsmfR5hDDKSCnbJhhsMBe 5bOz625C4LyyJ+XxFznn78OITdernZzyTH+yUgvCwqzs1di9aIwuaO3BFq3CU9R+y7zNwtC9nHT YS6C+cYTnFXfZ4f1uM+bW/ZifhuU4mBbQbYOmG5xFIJRmp/pKzaoQUItsCdm04iAgZt2+97MynF uk=
X-Google-Smtp-Source: AGHT+IHpVo6sWhoSAGwU3MLVcTCH21ZvT8nsBNLIFKnY+8MzhJvcIVcD8v48u5TD462U6H6KjWUntAizmvDEDx8x5EI=
X-Received: by 2002:a05:651c:108:b0:32a:66f7:8a15 with SMTP id 38308e7fff4ca-32adfed5cd4mr9498871fa.39.1749236491897; Fri, 06 Jun 2025 12:01:31 -0700 (PDT)
MIME-Version: 1.0
References: <16ef83e1-3ba4-cd0a-24ee-85557e0e838e@taugh.com> <A730BDB0-7387-417F-92E3-B654867CA3BD@strandkip.nl> <22871113-3a09-7c6a-4c01-a839708c9788@taugh.com> <18669799-4670-3e2b-b9ad-dd110ba79552@nohats.ca> <c8461bcf-08f0-e18c-4c75-9917aa0990d9@taugh.com>
In-Reply-To: <c8461bcf-08f0-e18c-4c75-9917aa0990d9@taugh.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Fri, 06 Jun 2025 15:01:17 -0400
X-Gm-Features: AX0GCFszTVuLCBa-r1TnPvLhOWW6CrBoK6O35DF5GmGOmCNYUxMbBZ7N1WvbWjc
Message-ID: <CAKC-DJhS4_1P5Bqu-0YWWr9jkxBOt40rx5804UAUp7DhAsc31g@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="000000000000ba59df0636ebdb67"
Message-ID-Hash: TRYI2HZPPJQLGZKZ3RG63YF3XQC2SF3Q
X-Message-ID-Hash: TRYI2HZPPJQLGZKZ3RG63YF3XQC2SF3Q
X-MailFrom: nygren@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Wouters <paul@nohats.ca>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7D12rRnqM3V3iFfBYkH_r8XJCrg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Following this discussion, I've taken a pass at proposing some updates to
clarify the "purpose"
of domain validation (as suggested by Ben in PR #160 although I started
with a new take on it)
as well as to clarify the difference between one-off validation and
persistent validation.
See:

https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/172/files

John Levine's examples seem to demonstrate that there is very likely that
persistent validation
is a use-case for DCV.  A number of the examples from the use-cases we had
in the original Appendix of earlier drafts also showed cases of persistent
validation.

As such, I think we need to talk about this as we can't really ignore it,
and talk about
how to do it safely and what the inherent potential problems are.

(It may make sense to talk about persistent validation in-terms of
authorization,
but I stayed away from that for this first version.)

If this approach makes sense there's likely some refinement we can make to
this text
to further clarify on the use-cases and risks.

     Erik




On Fri, May 30, 2025 at 5:16 PM John R Levine <johnl@taugh.com> wrote:

> On Fri, 30 May 2025, Paul Wouters wrote:
> >> and if you're going to do that, you know where to find ACME.
> >
> > Indeed, but is a cron job really a method to confirm continued
> > acceptance of a service? It requires credentials to make a DNS
> > change and in a way only weakens the security model. (just like ACME
> > using DNS-01 doesn't add anything to just publishing TLSA records in
> > the DNS)
>
> Well, it does show that someone or something is awake enough to run the
> cron job while I know from personal experience that TLSA records can go
> stale for quite a while.  But we're all waving our hands here.
>
> R's,
> John
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status