Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt

Shivan Kaul Sahib <> Tue, 15 June 2021 16:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 897D03A359C for <>; Tue, 15 Jun 2021 09:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wLcJ8MT8q_cs for <>; Tue, 15 Jun 2021 09:27:39 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C67D73A3599 for <>; Tue, 15 Jun 2021 09:27:38 -0700 (PDT)
Received: by with SMTP id s22so25897251ljg.5 for <>; Tue, 15 Jun 2021 09:27:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i2ElaSAJuB0TjEVVan6cUumFVfHhGaNQibRv7o1ABXs=; b=LOZs5aRvW13xzihwI6RT0CSZjEEeAcpUzr2YcyHsFXq3IqMYfJcItDVZJLnFBoMMuf +f5gpxw9lhmfWBlU0DqXQ6ZtgfEs8mvpZ0haWrBEyDBH3oTJe+sZo9ShXzSebYHOZDUa ZA8uimQjpjmKpRkllN2XVbozXmwXGOg1bNR0R4O7cl0KpmGBw7fsT9G4jL7JQdeqXKa7 nnXIARBNC6lKQzs9xApTwYOgklmEp239AnbEZDqdfGPe5M0ouq6A7Z6PD23YnlVO5fjG 2X6yzLPCGOlCSKvZ6OpZ5FLbmjQkgNnOrI3pC3yJTVWasUQtFm3lSIkH9iRrGOn/UMBD /q2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i2ElaSAJuB0TjEVVan6cUumFVfHhGaNQibRv7o1ABXs=; b=oYvWdVqqFdEkr5zeMZoIanDPRtTpPVLcoGZD+ZFFMM/MYiDeKBVWRScPh1ihDc3dBv TUzTY8yrwIIuUDSXs/S7sVJ0MaD0QAVAxP1OJeMXIg/Nu0C0S+4eFbq4JLs7JVFco7bi t+rKjQk+R4e7YzeYYt7iFpU9gVTI865IUvBKJ/e51Zf6evbfdXJ6b3BMoWe+UqrtYH+/ qinhQWRgO1eHq4oRmxwiYKCfYr7PhAjCxD64CPXNLvIrg36sClNiSCyMlliOsOuhfyrt A4JIKoQCNAOqp+1FuWum7f4blPmtIwVmVC/Qe0UEynI8SDTbWyvSdE6ayxZmLE030OIB yaNg==
X-Gm-Message-State: AOAM530n+3zLGalpdjdwgGxjQcxZeh9pqnkvINAdKurPHoa71xRRpnhD abAzuIy2hFbmLhCCAe53ZrEe8ZJnA4mUT7072sY=
X-Google-Smtp-Source: ABdhPJwlw6pp11qwKKYKO1sc8XDhlSKtulYeVEqc04h1KNkcARs3FUOVC8OB/ZnILCx56H91E9KSA2IS5W15Y0n9OOI=
X-Received: by 2002:a2e:8699:: with SMTP id l25mr356990lji.315.1623774454341; Tue, 15 Jun 2021 09:27:34 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Shivan Kaul Sahib <>
Date: Tue, 15 Jun 2021 09:26:58 -0700
Message-ID: <>
To: Stephane Bortzmeyer <>
Content-Type: multipart/alternative; boundary="0000000000008be25105c4d07313"
Archived-At: <>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Jun 2021 16:27:41 -0000

Hi Stephane!

> Section 4.1: you do not mention a recommended name for the
> subdomain. Should we suggest a name starting with an underscore, to
> limit the risk of collisions and to emphasize it is not a host name?
> (On the other hand, some users may have a limited DNS provisioning
> interface, which enforces a LDH restriction.)

This draft is intended to be a survey of existing techniques and broad
recommendations that can be derived from the survey (hence we only discuss
the value of targeted domain verification). Our thought was that we should
leave concrete best practices for a later draft.

> Section 5: should we also add that, specially if the zone is not
> signed, multi-vantage-point checking is recommended (Let's Encrypt
> already does it)?

Interesting, I raised an issue here: