IETF Logo Mail Archive

[DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt

Shumon Huque <shuque@gmail.com> Tue, 23 July 2024 21:14 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF9DC1D4CC7 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 14:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnzHFX7AKqcB for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 14:14:11 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8DDBC1F5899 for <dnsop@ietf.org>; Tue, 23 Jul 2024 14:13:55 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id ca18e2360f4ac-807007b8dd1so246570939f.2 for <dnsop@ietf.org>; Tue, 23 Jul 2024 14:13:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721769235; x=1722374035; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zAmDiP8gvwGNefNQBUbv7i4J+7811qYPl6nyk4mVZAw=; b=SqAV9dfirsdtoDwtdUhV+NMUu0vOnTLBpbBSLVuSYb5t4BDZ73Gbae/N1/8YdCU4Yr j1vWaRFRTuDTRVOJJrj9gVlzE0YvHNBOU45KEoX4fRCUhqJr1AEhoU6uu8igqCvfSITE OnaB0C0l9RKscnlBsGw7jWfvdDgIATK5P8clO0mSvJfo6UcNX7+qxlUg+/qNsUzgiwRL l2oIrA9jTvb/C+vpcg3rHgsQyMOzZFx2FetA0vRGO59F6P9+lZn6ChVTSDqUN6s0hg2i YxsxmkEzUyymdVhGURj/tXJR6ks/5MhdfZHs4NI9Zdv9YkYGP45+tNzr9n54zvuJbhBQ v1Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721769235; x=1722374035; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zAmDiP8gvwGNefNQBUbv7i4J+7811qYPl6nyk4mVZAw=; b=Z+hXAFF7OVhKOtQwgKhOGdEq3Z1GFv6W434j5v+WcalhHUHZccVUcYUYN4C189rvU1 VrgrmLdO6fe1uUFaf2MqtdyQm+y3hMTpZy6u+81TUd9UAKj1UH2/aZezw5tSAeFLuqzU b0xm7uIqYGES1aJOoUOBz5viJnb21pjcuBOGis3iIWvDib+gB6qFjiUK3iwJ+i4h6HIy Iuo1mS9/zfpCAzZ9cKt6Qz7hSvWK6+waNLadesKVAiROMgLiOVkKmteBGNpbdLpUzoxh CWrykIOsIcErWjtOKxTH1dczhCgqadICFuCKgT0hmbu+oVn8+uc+J32Z8HS4NmzZQu84 AnAw==
X-Gm-Message-State: AOJu0YwE2AlqKeSGpXEUDIHgvynXGqdPmCcqXnhTe4Oi4AjAgcMSimIM ar/l5L0RtzDpke9YAMgOpoWTYh0tljjYZFi0+4PTggdjSufw5AZ8tCIKbWdeIdw6vWhYqSV9g+M Aavm4Nlk4Po/3GGhMQYIohP9s+MUZS3qjBlI=
X-Google-Smtp-Source: AGHT+IHYvlzeTx/ZPh2WRx59Nr46/xkx+q7gDaIydE3QUX+BDQQNU0JyCMaxWaydNoiC5fR4Q9bz0b9KBdDA7kCtqPk=
X-Received: by 2002:a05:6602:6211:b0:804:f2be:ee33 with SMTP id ca18e2360f4ac-81aa548332fmr1483018239f.2.1721769234700; Tue, 23 Jul 2024 14:13:54 -0700 (PDT)
MIME-Version: 1.0
References: <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h> <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com> <20240709212356.43B838F44515@ary.qy>
In-Reply-To: <20240709212356.43B838F44515@ary.qy>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 23 Jul 2024 14:13:43 -0700
Message-ID: <CAHPuVdX=8Lv3r41g8YVkjRQ-YCx9r+nB94wqep7oG+_o20EHfA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="0000000000009ea262061df0a3f2"
Message-ID-Hash: Q576ZEZXAXNLMDPAFZF4UMO5JSJOHLDX
X-Message-ID-Hash: Q576ZEZXAXNLMDPAFZF4UMO5JSJOHLDX
X-MailFrom: shuque@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, tjw.ietf@gmail.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DptC1jux_mTJr3M0Z8QG4FdWUq4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tue, Jul 9, 2024 at 2:25 PM John Levine <johnl@taugh.com> wrote:

> It appears that Tim Wicinski  <tjw.ietf@gmail.com> said:
> >This is one of those DNSOP documents that may not be relevant to those who
> >implement DNS, or those who operate DNS infrastructure. It is relevant to
> >Applications that use the DNS, and those who focus on what actually DNS
> >records exist in zones.
>
> I took a look and it is indeed greatly improved. Here are some
> implementation issues that may or may not be worth addressing:
>

Thanks John ..

It says to put everything in a text record which is fine, but it
> doesn't say anything about how to encode it. There are two competing
> approaches. One says that the string boundaries in the record don't
> matter, so combine all of the strings into one string. The other is to
> treat each string as a token or expression, and the string boundaries
> are the token or expression boundaries. The examples suggest the
> former way, but it should say so. Alternatively, people checking
> domain verification records need to say which way they're doing it.
>

The simplest thing to do would be to follow the precedent of SPF,
DKIM, etc TXT using protocols and state that multiple TXT strings
(if present) need to be concatenated before use. We can state
this.

In practice, given entropy requirements, verification tokens are typically
small enough compared to the max TXT string length, that even with
some other key=value metadata things, they are unlikely to spill over into
multiple strings. But I agree, we need to address that possibility and state
what to do.

Wildcards can cause some annoying problems, notably that a wildcard
> will match any tagged name so queries for tagged names can get junk
> answers.


Can you elaborate on what you mean? A wildcard TXT match may yield
an answer with a verification record rdata string which is nonsensical
because no-one will be looking to verify such a record. Other than it
(possibly) being annoying, is there a practical problem? This situation
is certainly not unique to this draft.


> A) Should verification records have a tag at the front of the data to
> identify the record type? There's plenty of prior art for this, e.g.,
> the 63 text records at stanford.edu. Or you might say that a
> sufficiently long random token in the interesting part will prevent
> false positives so there's no need.
>

I don't think this is necessary. Some applications do this today, but
I suspect it is to make it easier to identify the application from the
sea of verification TXT records at the zone apex. Since the draft
recommends application specific validation record "owner names",
that seems to be a better place to make this identification.


> Minor nit: why are the CNAME targets quoted?  I've never seen a
> quoted target name and when I look at RFC 1034 it doesn't look
> like it's valid.
>

Yes, that was a mistake. I see that Tim Wicinski already followed up
on fixing this.

Shumon.

v2.35.0 | Report a Bug | By Email | System Status