Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt
Tony Finch <dot@dotat.at> Fri, 11 June 2021 17:29 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F3E3A0781 for <dnsop@ietfa.amsl.com>; Fri, 11 Jun 2021 10:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6OPbn5HjjygU for <dnsop@ietfa.amsl.com>; Fri, 11 Jun 2021 10:29:23 -0700 (PDT)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [131.111.8.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 633243A0789 for <dnsop@ietf.org>; Fri, 11 Jun 2021 10:29:23 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: https://help.uis.cam.ac.uk/email-scanner-virus
Received: from [90.251.71.42] (port=57724 helo=milebook.lan) by ppsw-42.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpsa (PLAIN:fanf2) (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1lrky8-000acc-7o (Exim 4.94.2) (return-path <fanf2@hermes.cam.ac.uk>); Fri, 11 Jun 2021 18:29:20 +0100
Date: Fri, 11 Jun 2021 18:29:20 +0100
From: Tony Finch <dot@dotat.at>
To: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
cc: dnsop@ietf.org
In-Reply-To: <CAG3f7Mi92moegB2656HUdgQQ_i8bKw6KH0JcsBVHP+hEc22Quw@mail.gmail.com>
Message-ID: <6c14b376-232b-854c-165f-1d3bf24d11a@dotat.at>
References: <162334242319.22850.4241161345806462552@ietfa.amsl.com> <CAG3f7Mi92moegB2656HUdgQQ_i8bKw6KH0JcsBVHP+hEc22Quw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NRADMyblsBZ2U4ZzsaDPt1dZgpM>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 17:29:28 -0000
Shivan Kaul Sahib <shivankaulsahib@gmail.com> wrote: > Hi all, Shumon and I have been working on an early draft that surveys > current DNS domain verification techniques. Depending on how it goes, we > hope to eventually explore if we can come up with some best practices. This looks like a useful document! One thing that's operationally awkward for me is how some providers do one-time verifications, and others re-validate periodically. I suppose there is another distinction between static re-validation done by (e.g.) Google, and dynamic renewal as required by ACME. Best practice for providers ought to be to document re-validation requirements very prominently and clearly. (In my experience the common ones are not too bad but occasionally we have to guess, so maybe a service stops working for mysterious reasons 30 or 90 days later.) It's kind of ugly the way static verification records clutter up the place, but on the other hand it is a useful protection against subdomain takeover attacks. So I hope that this document will have a good survey of the security considerations. Here's an overview of subdomain takeovers https://www.csoonline.com/article/3601007/how-to-avoid-subdomain-takeover-in-azure-environments.html Tony. -- f.anthony.n.finch <dot@dotat.at> https://dotat.at/ Southeast Fitzroy: Northerly or northeasterly 5 to 7, occasionally gale 8 at first. Moderate or rough. Fair. Good.
- [DNSOP] Fwd: New Version Notification for draft-s… Shivan Kaul Sahib
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Tim Wicinski
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Stephane Bortzmeyer
- Re: [DNSOP] Fwd: New Version Notification for dra… Shivan Kaul Sahib
- Re: [DNSOP] Fwd: New Version Notification for dra… Shivan Kaul Sahib
- Re: [DNSOP] Fwd: New Version Notification for dra… Shumon Huque
- Re: [DNSOP] Fwd: New Version Notification for dra… Tim Wicinski
- Re: [DNSOP] Fwd: New Version Notification for dra… Shumon Huque
- Re: [DNSOP] Fwd: New Version Notification for dra… Tim Wicinski
- Re: [DNSOP] Fwd: New Version Notification for dra… John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Shumon Huque
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Shumon Huque
- Re: [DNSOP] DNSOPFwd: New Version Notification fo… Wes Hardaker
- Re: [DNSOP] Fwd: New Version Notification for dra… Brian Dickson