[DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS record type for FedCM well-known file delegation
John R Levine <johnl@ietf.email> Wed, 08 April 2026 18:17 UTC
Return-Path: <johnl@ietf.email>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 826D4D83C4DC for <dnsop@mail2.ietf.org>; Wed, 8 Apr 2026 11:17:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775672277; bh=67PxcNSfPQ5mFNYVSKBAZLdi6TaP7G8IQnbuKfA5zp4=; h=Date:From:To:Subject:In-Reply-To:References; b=WZlh/WcAArU2J0/+Gg0VQLX4FgAzQpgrMi7D1mgsEaljFMjZ96ja55L44d9luxGhv NT7F+vf5ugdI85rpWso1+/LOqdjqljeo35xfXE96mhxh+meu8ag1eis1t0BUm3lzNE mliQAAv+5+ra6NhHgUne9tdtLsyt4CLUDkX/CaMA=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -3.602
X-Spam-Level:
X-Spam-Status: No, score=-3.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_FMBLA_NEWDOM28=0.799, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="M7ibHkkS"; dkim=pass (2048-bit key) header.d=ietf.email header.b="fMZlQsNj"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84jH5rt-waUh for <dnsop@mail2.ietf.org>; Wed, 8 Apr 2026 11:17:56 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E0F48D83C4D7 for <dnsop@ietf.org>; Wed, 8 Apr 2026 11:17:56 -0700 (PDT)
Received: (qmail 83343 invoked from network); 8 Apr 2026 18:17:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=1458b69d69bd4.k2604; t=1775672266; x=1776017866; bh=67PxcNSfPQ5mFNYVSKBAZLdi6TaP7G8IQnbuKfA5zp4=; b=M7ibHkkSJGYxsU2CbCwU3DfQFlCwCDhKPuRd8p8L8q9/DLn0sF7VHOhzwplNmD5Vt9D7m+CaGxA5onCG9YCqbUFmsBF0u+PBqDPXyHVICX+9zrskd7CA55JT7UEsWZolpleO6DmTbZ4L2BkEVSDT4VIj2nAhVHnj8WVkdIOWhrUHPBVUX/QWS8tX3jqZ3dEzs+uuh5qcEoREgoDwNkG2OcIzEw1WsGQwtZjUZi8XiFTUu7cNYyPQQd166etNtrn5JpYmllCcJOuKtMnVOxLSefZQ+KrewL7eQVCsnSU8SCpShcfb+FRxuv6gn2LpGdcNlleBikolr8yi2yOAR1yJ7Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=ietf.email; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=1458b69d69bd4.k2604; bh=67PxcNSfPQ5mFNYVSKBAZLdi6TaP7G8IQnbuKfA5zp4=; b=fMZlQsNjITpclAcn/bb0DIdlv56cyNyH3n/NOGiHYw57tr/jp1mAVABWAbqp6H6S24B/MtyIipdBbO2pmsgUdZBU28X1TDOOZ/brhlPZFIIfrm38HK7bIaf2kRnuLq643pjI4x2OnZAOpVwSZKigTt/GiJHuri/dAsTzo8xxmAL4GfQ/qdfWz2gqcT0QWDx8w23RCUZsAfh657IT6AqsyBsRCWOPC/VNlr5OkBBeqvX+L8n3F2ygBno0sfMV1YcwQVotQPrcvtVRykqOBPo/ffscnJ4xGfoeAWqwM+pG4rTHBcCrtEcFhkkJJUgQ5jsPZ/XdhGkqTUvCjyXQrjJmrg==
Received: from ary.local ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 08 Apr 2026 18:17:55 -0000
Received: by ary.local (Postfix, from userid 501) id 767BE10173025; Wed, 8 Apr 2026 14:17:55 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id 41D5F10173006; Wed, 8 Apr 2026 14:17:55 -0400 (EDT)
Date: Wed, 08 Apr 2026 14:17:55 -0400
Message-ID: <90a5e8c6-9013-683d-beca-0076a39a9715@ietf.email>
From: John R Levine <johnl@ietf.email>
To: Will Bartlett <wibartle@microsoft.com>, "dnsop@ietf.org" <dnsop@ietf.org>
In-Reply-To: <PH0PR00MB2874050956111CB163FC75A2D35B2@PH0PR00MB2874.namprd00.prod.outlook.com>
References: <PH0PR00MB287470B5624C4161156CB2E6D35DA@PH0PR00MB2874.namprd00.prod.outlook.com> <20260407190852.B3BF410117B21@ary.qy> <PH0PR00MB2874050956111CB163FC75A2D35B2@PH0PR00MB2874.namprd00.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: ZHVJIYXOLOBG63RDEKDEAJOTIQD7TIFE
X-Message-ID-Hash: ZHVJIYXOLOBG63RDEKDEAJOTIQD7TIFE
X-MailFrom: johnl@ietf.email
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS record type for FedCM well-known file delegation
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BuxP7I7eC7xH8TnD_kgzE3SzXxU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
> The core of the issue is that FedCM desires to mandate that > implementations provide a single authoritative document for a > "registrable domain" (also sometimes called an "eTLD+1"). So far so good, we all know about the PSL. > Today, the FedCM spec says that to locate the single authoritative > document for an origin like idp.foo.example, the browser should query > https://foo.example/.well-known/web-identity - note particularly - > foo.example, not idp.foo.example. Foo Inc. uses a CNAME to point > idp.foo.example to its identity service in (as you say) an ordinary > virtual host transaction. However, Foo Inc. cannot use a CNAME to point > foo.example to the same identity service for multiple reasons. First, > foo.example isn't the identity service - it's a marketing or storefront > page. Second, DNS does not support CNAME for foo.example, because > foo.example is an apex domain. Ah, OK. So your user goes to another department in the company and says "we need the web server the company is paying you to run handle this URL https://foo.example/.well-known/web-identity" and they say some combination of "what?" and "no." That still sounds like a business problem, not a technical one. R's, John
- [DNSOP] Advice sought: DNS record type for FedCM … Will Bartlett
- [DNSOP] Re: Advice sought: DNS record type for Fe… Jim Reid
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: Advice sought: DNS record type for Fe… John Levine
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Matthew Pounsett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… John R Levine
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: Advice sought: DNS record type for Fe… S Moonesamy
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… S Moonesamy
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… S Moonesamy
- [DNSOP] Re: Advice sought: DNS record type for Fe… John Levine
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: Advice sought: DNS record type for Fe… Matthew Pounsett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… John R. Levine
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: Advice sought: DNS record type for Fe… Matthew Pounsett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: Advice sought: DNS record type for Fe… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS rec… Will Bartlett