IETF Logo Mail Archive

[DNSOP] Re: Best Practices for Persistent References in DNS

Ben Schwartz <bemasc@meta.com> Wed, 23 April 2025 15:31 UTC

Return-Path: <prvs=0208283f35=bemasc@meta.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2EB142013355; Wed, 23 Apr 2025 08:31:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FeKDzcy9iqWs; Wed, 23 Apr 2025 08:31:03 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by mail2.ietf.org (Postfix) with ESMTP id 2E2EC201332F; Wed, 23 Apr 2025 08:30:58 -0700 (PDT)
Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 53NCZRt4027899; Wed, 23 Apr 2025 08:30:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=t/Vj+b7kln/OVZ8XULay aKP3MM1ii6a5AdPoCo3zcZ8=; b=aEyE98EL1B+nObDB290TiF5QLElSspEtLiqX lpEo5gqrZKw5CN4iCDAWYjqjlDqpVd3ZOowRI6Kj531siU+1z2H5/akCgC6HhDCy Lred/49P9rw+XK/eCUleFliE1YfJ/uWmR3e9lcHIrf7vdZ/CSK3MLHpLXJiiSPmq deeZ3U7Tq9Q0Wc1xO0IrAnQetZCh9w1DoYLzv515WASCvn0LJcInuy8kssU/VpYu I8XTTZjRfhK/8CQ4dtDIxwQkVi0CZpPfn1bQ+s5qM/JymWBCG2TdXe48AE+I3kTY 98QoU5qEHOXTeryY1Xx4pEQoEBET4WwKUuvcDKLvxLCYOlZgWA==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2048.outbound.protection.outlook.com [104.47.58.48]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4670bassfe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Apr 2025 08:30:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=jZc3UaDeoYHK8qMjaOClhpsZQYRRmYDwT6qyAF6lYsfYeGhXzd+YQvav5Smf+ZzIl6Zg1JNkMxnBXUCxiGHpO2yMXqPyCS95YckbdeNDuQz2EkWj29/UeByL+A6lNmvl2keMPW/7VTGm34BvOWEZabyKhyc7+32AR8n0pDJToRuoJaNMCJIY/Vk4BwK+wGOx4mTtYABG5NFphGPEFQFDBFESptZFS6cWLKkdyPSkXzgNDMBq0KHwG0ZX1a934WdrxhtLrRFVCeJzuytU184wnVnOicApCSwm4HvdKNLrm3e/9T5HoJjfqlr3u2DYTpE4rz+FlHqcUPXTJr9Vir2w7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=t/Vj+b7kln/OVZ8XULayaKP3MM1ii6a5AdPoCo3zcZ8=; b=toqMUneQEbmYafwUoilQiC05Wha/fgGnMFftwpcBnohd8N83lNCuwMQKAA72O3lpBGusS9BHprJZpa0HC33dzw0Km9WChz89WL89pF+56WDOfwFlQOLPMY72Ifnwv5y7I3C4Pj+HTIoAJaXwS1SRpsmnSV9QI8pNNVObqH1AAAF0AYG2zczCB2+2sQsfkh6N1ngADSeyBuMAu0Y5/jmEd0TlQ8F5IVc76sceCwqAlTg3j7PcLBz1tdl/Ye5abMXRftfXeh4NRT+mo1HqTDgxH8WyFHlWlovp7XqED6AtseM5M6T+K5T/HBKkudSRpG4VrJPc3N0fPJWQoBmDlDxylA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by PH0PR15MB5143.namprd15.prod.outlook.com (2603:10b6:510:128::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8655.35; Wed, 23 Apr 2025 15:30:55 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.8655.033; Wed, 23 Apr 2025 15:30:54 +0000
From: Ben Schwartz <bemasc@meta.com>
To: "Sheth, Swapneel" <ssheth=40Verisign.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Best Practices for Persistent References in DNS
Thread-Index: AQHbtGMsHkkaIc7DDkeHiFcDVYnOvbOxYHC0
Date: Wed, 23 Apr 2025 15:30:54 +0000
Message-ID: <SA1PR15MB43703D313D0B95424F402B1AB3BA2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <4E29922E-A2B0-4FB8-B933-4A8C234DAB01@verisign.com>
In-Reply-To: <4E29922E-A2B0-4FB8-B933-4A8C234DAB01@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|PH0PR15MB5143:EE_
x-ms-office365-filtering-correlation-id: 64ec6bd5-38bc-4585-0770-08dd827bd69d
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|10070799003|8096899003|13003099007|7053199007|38070700018;
x-microsoft-antispam-message-info: DrnvKM9uPYLCJYsN3xlaKXBk1qMakhZuqLU8ptbqOsJmDlctJZ8XU7Tv6PM/R8LcZOnAp3kmTaL5equozwDI++uMTSpBRhFeLgKQiAzTg6ySVn9fdz0yUPiTyaikHWAviMsMRCQQYt0GjS6rce3k+fvL/bccaasBEEqPsICQMvw4yqwjlHh1oj17F/awfEDafZHwRoZHm8CfnfBfZwrBbjhynilG/TQyOMyw57oZQJTVS3Z1GOGCnSECrVNrf3a6o9sB9DG2grlrDDInd+/ELV8c1Em4WZs885/2NiBhmFB2QMBzs1IdqFvdgHPXcKSDLyvzu0uojs2XFSma9eKul3whYXfP38WeJiWlGfTEWqvt/B1V2IEwUiHEO+CVh8KitBMUHTxlg76JLNRAQF9RtNP8KkUZkCQAe5RYR36kH/hCRqTQDM1oujUrB0TZlyhJpdyARz3ZWvnso85EaowwoYEKmGF9Ns5ri12VcSzHvIp9CZlB713tXjiP5N1OjBaH2PzAZ3quU2FS6LIDdnO+NFKskjOlhfgFlmZmSFScoT89UCqYdXjBeWsQf+hq7QT7BBuT2QS4h+0xoEAQorf1+VM5sjapOGitM7fAfJHI75WONunKWysBHgwT9W99C9TkmFGZJMvzKmMl+Uq8zYL6UPC+zFTBUzp06PNyVMDre6lUbfMCHf1eTcQO21jyy+vg328W2Ccp5pmHZ7IaUi6u634Zf5IRoZk91h9sqCOLYUH7c9wSrlLJGULxZMlf/ilgasLUNmCshN/n3TZkA0BNZENRr4/9R2m9H2omVE+8eHh40is/XaYCdn6N3WCAbgHYuOSc3rAFjqARvFJeWOpLAeKrZqw3L/kbAEG8Ut7sujR8voZ9ZWezCd56r1J6yHKAAu3B++gAkP6Ug8sbwkHKug3P56y7Pb0vEg7pTl0RlT51atclr12J3in/ckcORZtPveCgtbrOedh8kUyk9i1j2mpqOqocwdPbTvxvUBNnB1ajKF7rB8KoPq1XmKFBMjpl1Ozw0CXP39y8or2UL15f2pbwe3xvcY3oIg/RcSUAA9BuG7UP0imGEaOX+J11QdZBv7Q4MQxt2+8M1Bd2KQQjl2J/j6t7wSGpixxnil3a2gF7nviU4kZtjb0bgGTOkqxz3YD3Ilx8BHazrBCAzCWZrZnN5Vn62CxhtwUU2SJjDQf9QXVxMu/eo8fnA06y+8LNJSWmEzfr0CcXGBROhsNeL/43IpmTgEDYTbNR1SwgXnH70g47kJi2duogt7pFrxQQq6rVsro2XwXzapfE7F9b+W83ek+WRPKDNBrR9d/ezyggpPNFGoNzlVyKwJwD1z7Nf48hd/CzOx9wJXbptzBRnofSHfq3ZfF8XZC+3Nwydf1rb0wGyvKkrc0nqfAyjM57aLe8fNBA3qDsz7Ur2xiRJhjmZTicaCa1lOpPYzO8GJs=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(10070799003)(8096899003)(13003099007)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ED7izpAVdNMZZvhcAAZuiuaq0px48i3BsNxX+sLtC5tyA3h2yrqA57VNo+DqLT89QVWO/DffzrZ/UG875hZIuEYJN/P1VWV/ZJRnYRP9MthKA2TEGR5V74+Y5GmbbOabCn6VAiQ7QwAejt1yS24VBo0WWvQI6rJYcvBNSkYjoKkfcvi8VVPYJN3KTKa/Y8GSSI04lsIk53nRriRHgmwh8gCzhKMhF1vlNMFlg8RGAN9ENzlYX65Srzj6ZicXlK8a+daKWKlRwm/bIM/XdhdF4DQPSBktqA48nEn9mKD4W/rLc0xUiYef6oxhcN7gjhQ0WZlN7CB3UQo2x8Eit1in5lpUqhZKDTah2UFX4Y9H8qxCqjIC/Ppwh8Yv8HkapbpgQAQXdBpRrgx7FbpoK06I7pQcCOvZkW0/R6giNDfuGeIqswl3Ma/+8MBAEoQGhcVBiaXrAMrt7h7ih0u7FyXF8kcIvsI4PHcYFhNqZjDEbzQVG4jct4DowBwQEj0BSqVeb2sZxTsph/zgs7z4UlAgRhB8EoFnPwtRhG7ngr32QETo5GUg94VaSeoM88LFsPnEy/U2SzNG3fkWX/t31oi8K5LNBb7SBCzhEKnq7wjDA5dVM47W00BU8p3SPxUtKFjnciJHTk0Y0dJKHJXgA/iMFRNUJw8PKw/bXUKka8Hua7/Gi8oKL79X5iGz5iE/z3t8DIuOpUhBGQHTG8VW3gK7NcSu+9dbdwEredp2n9EDJfq14+V3CSXtgmrjS2KcE+bE67KzwezHCsKuiNMbyGLE9VsuGrx6Bk5/BpL/yVnEAhmXcHkgwButKTZvdOHFUh9+rtHkj//MqAwkHBq10wyy/WQOlPqf2IfOwZAzVhAF6Gx17ZYbSK0bXJyes44WD9YWi+P2zYj/MR76UigNGBoyQEI0CoFTguGMGIhbn/Ij3TUwm+wgdCQtgPirAM5KTMhFjBi/mCNmX/Io5ggAkiHeWNCyubRjvvAGnAqYmsjUIR8aUH1J2TglIAqM7xdoYNXq8UPBqOQHDYPmrGsHmqc98tqKfdeTSH9ndD8jJORqs81Sjhha/S+hbFX8sEAyOUW1DP4rkXqcFXArUx8UqZFkvbIZ4SwB4brsAb87LmQABzA4plG/s6+vzUC6TJFeDDigUxnyTiSESOazv8FKayv+6oXP0R8btM0WGbYYp1GHYdq85C8HYDVH1I5rB7FZEETKl1PVCB0MaQAEu/6/MKbnhCwgmQ+WQclM/p9qk7/g4gnL6xLZSMHxCfdK3bTjtUWLW2Hawl0mFx75El4pf0W103RBpcd1uISQLSuxLf8XX9i1YiwJ2y3DOivwmOFRIOiNhkdAR+x52oOxjvHpHZ+1doJJuR5QGzfVrEP6+XeBkO75Q0EwzivbZL0SlNg0iAQluUE8y2oO01BHCgt+9rLG3zPfq2qCnuZRIJTrmQ2tIJuRMPU3B2KIY9XESA4YMHi81iPHZRbe68sxIUBRbKstt8mc6f+oipwsiNQyXAeWDOyp44V/0ZQyTrBWLLFJAGbOKcrrnOWPlpSfx1DG4LKE/4xvEdKhiHJC1Yx9Ps166/6v8DhLa3KseYcR/wdxhfP2ZV/sGLjSMALi9GupxU/UwUA6fPEE7APLg3ZtVAb+M3E=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB43703D313D0B95424F402B1AB3BA2SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 64ec6bd5-38bc-4585-0770-08dd827bd69d
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2025 15:30:54.9321 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QL+70FmQnfOhl2z7rABwqhR5QDLaGkuFdqC350B7ZGfqxqVKQPYN2yXXXyW++XDd
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR15MB5143
X-Authority-Analysis: v=2.4 cv=RcGQC0tv c=1 sm=1 tr=0 ts=680907b1 cx=c_pps a=IJ1r+pqWkCYy+K3OX67zYw==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=XR8D0OoHHMoA:10 a=NEAV23lmAAAA:8 a=48vgC7mUAAAA:8 a=DIu9MG1RNlCFWkxRyugA:9 a=CjuIK1q_8ugA:10 a=zU17mMYFQm1zpczi:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10
X-Proofpoint-GUID: mfJNKJaFFBlCnzTM2w0Qfmr0fhacV5Go
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNDIzMDEwOSBTYWx0ZWRfX1LX2ykS4sDjv JG5H+0jF8RgxYMq5cGAxLY5r/7qeGb+cEBbRPNDghjuCkyuROr3UGNgYfHkJ2mdPV1H2kgHOM+W +jbagIwBs7L7Xq+L0VQhjLOrqBMRIUFeN01/CTvx0Cf4c2hGPHpgDrtncxie+rzSgNJsOdfVTja nuYmEu5isSjKpcpAEPwhF0kTofAeV3X37nHbZeTjUsGwO3kW9WK0f8ZJb/fbs/gP1iRiXYgbORt JGUz1bmznBWT0RGm2IT1EGQcYUZKPHH4bdm58Z4CsrEobWyYdxL58KplvbuQ9g3wFI2NwhdpGcE hqzKUDIKk6nRov1mOi/v/SeDglCnXFvJlh7LyDlqnWoOHXm1zSfuoVFPqRPFEorrWLiLsDeNFN3 fmIy2kjG4ADi4LUT9u0a2Wb7UMU99pJdtb0wrT2c3c6UEiBYpkBlIYVv9n98NX0DG1p8iZ4R
X-Proofpoint-ORIG-GUID: mfJNKJaFFBlCnzTM2w0Qfmr0fhacV5Go
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.680,FMLib:17.12.80.40 definitions=2025-04-23_09,2025-04-22_01,2025-02-21_01
Message-ID-Hash: UWKC3PP7R3SBYNN6LSYBDLMRL576EFTP
X-Message-ID-Hash: UWKC3PP7R3SBYNN6LSYBDLMRL576EFTP
X-MailFrom: prvs=0208283f35=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Best Practices for Persistent References in DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KfwhhlgKRu0BajcdlP5Uq5BxpVU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I agree that these drafts represent separate needs.  I've proposed text related to this distinction in the DCV draft: https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/160

--Ben
________________________________
From: Sheth, Swapneel <ssheth=40Verisign.com@dmarc.ietf.org>
Sent: Wednesday, April 23, 2025 11:19 AM
To: dnsop@ietf.org <dnsop@ietf.org>
Subject: [DNSOP] Best Practices for Persistent References in DNS

Greetings DNSOP,

We have recently published draft-sheth-identifiers-dns (1) that proposes some best practices for Application Service Providers who provide associations between a global DNS domain name and use case specific references.  The best practices use DNSSEC to provide a globally consistent, cryptographically verifiable association.  While nonce-based domain control validation (DCV) has been used for similar purposes, it may not be practical when the association is persistent and where multiple relying parties want to confirm the association independently as this would require a nonce for each relying party which may become impractical for a user to maintain.

Examples of persistent, multiple perspective use cases include the CAA record used by Certificate Authorities, the proposals to use DNS to identify digital wallets, and the use of domain names as social media handles.  In each use case, more than one party uses the same DNS data and should come to the same conclusion, e.g., in CAA if the Certificate Authority is authorized (or not) to issue a certificate for a domain name.

This draft differs from the current DCV BCP draft (2) in the persistence of the DNS record(s), the presence of multiple relying parties, and the requirement of DNSSEC.  Our perspective is that these differences are substantive enough to merit separate drafts but are open to further discussion.

Thanks,
Swapneel

(1) - https://datatracker.ietf.org/doc/draft-sheth-identifiers-dns/
(2) - https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/

v2.35.0 | Report a Bug | By Email | System Status