Re: [DNSOP] Domain Verification Techniques using DNS
Paul Wouters <paul.wouters@aiven.io> Tue, 23 May 2023 20:22 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F763C151099 for <dnsop@ietfa.amsl.com>; Tue, 23 May 2023 13:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.584
X-Spam-Level:
X-Spam-Status: No, score=-1.584 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5iLkaDHolvwG for <dnsop@ietfa.amsl.com>; Tue, 23 May 2023 13:22:34 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97BF7C14CE25 for <dnsop@ietf.org>; Tue, 23 May 2023 13:22:34 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-3095b1b6e02so3167013f8f.2 for <dnsop@ietf.org>; Tue, 23 May 2023 13:22:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1684873353; x=1687465353; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oKG5elCgeIKMNJCI4FjK196a5PYrl60fDtPEzyTQjJw=; b=TZAIYgLxytx+CFO1okJ/R1uMeIGoVkBdBf7nAhbHCQFhpX2Ys5eguDYIRigb/0XoSB shhyV3/vODrTo8DQyeHCgPOrEmKe+7fYpDUOlE7vCi/ue8abAc+lTzY6DkVa4R6HrSBQ 3uril8G8WlN7xhfKvFQ7ylrz2oIb8wmmRb4vM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684873353; x=1687465353; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oKG5elCgeIKMNJCI4FjK196a5PYrl60fDtPEzyTQjJw=; b=Am8UOncFLW3nlNk6p+FIr/OBV+mom3Ipb3B9ihdTy51FwagR0SNAHLC20OLVbuDLKy Yyb5BRd182VwmP0EJJutaeDIbYOkwhQfMKno02caf/qDSxIHv9LipERhDiKPCF1p0FMP V9y1r6Up8sTufmxIC/q9pi6EoZ530RD/OJF4xNSR/810gSnzRRMjQVaKTAjsJSFh+1+k MK/6BaPdxvrvDk0UOEER7e9ndOn3DgZI6WcTHQoBBFABCpPEn7UXlf1e0b1h4Egqitlr 8DsBvdNmql4CXrP0n4MvzYqgLNfVgzcG+d0kczGaB24xtGoOJCPSBlIOkQ1bd2Duxs/g b98Q==
X-Gm-Message-State: AC+VfDxlnDJ279l6YkO7gLuSJET0e94wPX9Eim/V8fG1feVZ6dMDYeii 331hqcAzb/GBLNQaqzUaGmKkTDkrCyRfZO4Z9o6dLg==
X-Google-Smtp-Source: ACHHUZ6X0xBv9j9a8B6GnPYaaAI/4WA/b/u5if8NGKD5TjQAhRW69HXeTMXb0+pVjhB5N82zLE15hBOVDtgw1DsFhvA=
X-Received: by 2002:a5d:40c4:0:b0:306:2a1a:d265 with SMTP id b4-20020a5d40c4000000b003062a1ad265mr10187216wrq.58.1684873352637; Tue, 23 May 2023 13:22:32 -0700 (PDT)
MIME-Version: 1.0
References: <lFAtHx4AM5tH7o5UTTgzfKqfZpLer5Gxu3je9lItz7SQ04nBWpv2dRiQv5Pwg9cuX9s_Hv-Yv7x7j8LYddrWl6Z3cPJLidyyETU2SDndbKc=@num.uk>
In-Reply-To: <lFAtHx4AM5tH7o5UTTgzfKqfZpLer5Gxu3je9lItz7SQ04nBWpv2dRiQv5Pwg9cuX9s_Hv-Yv7x7j8LYddrWl6Z3cPJLidyyETU2SDndbKc=@num.uk>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 23 May 2023 16:22:21 -0400
Message-ID: <CAGL5yWZv+8qBv84_LDU5ShvcQ0+G6aOgZS8zUg91LV4cwaH9KQ@mail.gmail.com>
To: elliott.brown@num.uk
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-domain-verification-techniques.all@ietf.org" <draft-ietf-dnsop-domain-verification-techniques.all@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad079c05fc6225f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JY2WavgMdFwK7Pfr8h-wZocvcoo>
Subject: Re: [DNSOP] Domain Verification Techniques using DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 20:22:39 -0000
On Mon, May 22, 2023 at 5:49 PM <elliott.brown@num.uk> wrote: > Dear DNSOP WG, > > My company has developed a domain verification technique using DNS, it > fits the abstract of draft-ietf-dnsop-domain-verification-techniques. > > I am writing to ask the WG's opinion on whether our technique is within > the scope of the current draft and if so, whether it should be considered > for inclusion. > Thanks for reaching out to DNSOP. > > Our technique is outlined here: > https://www.domainverification.org > > You can see an example DNS TXT record by using the following dig command: > > dig 4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg._dv.dvexample.com > TXT > > Although our method fits the draft's title and abstract, it is quite > different to the method detailed in the best current practice of the draft. > Indeed. While the current draft's methods could be fully automated, your method specifically calls out for verification via a phone number or email address which more or less assumes a human operator. It therefor works indirectly and all the "verification" parts are out of scope handled inside the SMS / email / phone call messages that would be required. As such, I do not think it belings in the current draft, but should be submitted as a separate draft. It is our ultimate goal for these records to be created by domain > registrars upon domain registration (with registrant opt-in) to provide > their customers with seamless onboarding when adding their domain to > service providers. > I wonder if that goal is achievable. In a way, the SOA record also contains a contact email for the domain and is basically no longer used by anyone. Hashing the contact info is only a very wea protection, as we have seen with people bruteforcing NSEC3 hash chains. And also, I think these type of records will also go stale and then not very useful. And so another fallback mechanism will be required anyway. So perhaps using that fallback to start with would be better. (I guess you could add some application code to verify email addresses on signup requests, but I doubt this is all going to me that much easier than "take this DNS record and tell your IT to publish it for a few days" that the current draft uses. > In accordance with BCP79, I am disclosing the following patents which > relate to our technology: > > Patents related to storing a hash of a verifiable identifier (email, > phone, etc) in DNS for the purposes of verification: > > - UK granted patent: https://patents.google.com/patent/GB2585353B I believe that RFC 7929 - DNS-Based Authentication of Named Entities, of which I am the author, constitutes prior art for this patent. > - US pending patent: https://patents.google.com/patent/US20220141172A1 > > Patents related to storing a hash of a verifiable identifier as a DNS > label for the purposes of verification: > > - UK pending and unpublished patent: > https://patents.google.com/patent/GB202216304D0 I believe both the aforementioned RFC 7929, as well as RFC 7671: The DNS-Based Authentication of Named Entities, constitute prior art for this patent. > - US patent to be filed. > > As I understand it, this disclosure is a condition of contributing to the > discussion. For the avoidance of doubt: I am not asserting any rights over > the methods discussed in the current draft at all – only our new method > being proposed for inclusion. > > We are still working on licensing but creating Domain Verification records > will always be free for domain registrants or registrars, service providers > will require a license to verify domains using the protocol. > Note that the IETF strongly leans towards only using patented technology if that technology is licensed using an irrevocable, perpetual, royalty free and non-discriminatory license. Your indication that service providers cannot use this technology without paying royalties would not be compatible with that goal. > This is my first time contributing to the IETF, please forgive me for any > accidental transgressions – I am here to contribute as productively as > possible. > Welcome and thanks for coming to the IETF to make the internet work better :) Paul
- [DNSOP] Domain Verification Techniques using DNS elliott.brown
- Re: [DNSOP] Domain Verification Techniques using … Paul Wouters
- Re: [DNSOP] Domain Verification Techniques using … elliott.brown
- Re: [DNSOP] Domain Verification Techniques using … Shivan Kaul Sahib
- Re: [DNSOP] Domain Verification Techniques using … elliott.brown