IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Joe Abley <jabley@strandkip.nl> Fri, 30 May 2025 08:27 UTC

Return-Path: <jabley@strandkip.nl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 94EA02EA5ADB for <dnsop@mail2.ietf.org>; Fri, 30 May 2025 01:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=strandkip.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4iauZphRsYBs for <dnsop@mail2.ietf.org>; Fri, 30 May 2025 01:27:15 -0700 (PDT)
Received: from outbound.qs.icloud.com (p-east3-cluster1-host9-snip4-10.eps.apple.com [57.103.87.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 25D792EA5AD6 for <dnsop@ietf.org>; Fri, 30 May 2025 01:27:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strandkip.nl; s=sig1; bh=CCPVtrSWiZ3q6NmxHZvB1yOQT9Yajwb802hxyWOn0PA=; h=Content-Type:From:Mime-Version:Subject:Date:Message-Id:To:x-icloud-hme; b=HaqM/ACdmiqCDhBn8Jf9s+v5ochcN1ZkYNRkbjCGm53i0H2AHPb9F4sB8Sb1ITbp6 8koI79xjoa+5FycT7G7gymCzNXYWUjK3DZBCWmkZ33mG/yjXd7HnRdD26PLhjkqH7P UeZWXcnWIplehhX4W3Jge7It/HNxalaMeg5nEFVI22y52DRkR8o4xJaBKNRz0buEjw W8u0zivmCzj8SQi25FM6wI19Gi8V3FNToB93qsx96dSSD3Xg1dbBqqNYkiQod6V2RV 9Tbfvtj3Mg9EzowtOX9eiIvAKEjQh/g8rvvO6rwNd6Tt32LszuML7P0VWn110L6Ym5 VT0F6RqluXGsg==
Received: from outbound.qs.icloud.com (localhost [127.0.0.1]) by outbound.qs.icloud.com (Postfix) with ESMTPS id E79251800130; Fri, 30 May 2025 08:27:12 +0000 (UTC)
Received: from smtpclient.apple (qs-asmtp-me-k8s.p00.prod.me.com [17.57.155.37]) by outbound.qs.icloud.com (Postfix) with ESMTPSA id F106B18001CC; Fri, 30 May 2025 08:27:11 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: Joe Abley <jabley@strandkip.nl>
Mime-Version: 1.0 (1.0)
Date: Fri, 30 May 2025 10:27:00 +0200
Message-Id: <A730BDB0-7387-417F-92E3-B654867CA3BD@strandkip.nl>
References: <16ef83e1-3ba4-cd0a-24ee-85557e0e838e@taugh.com>
In-Reply-To: <16ef83e1-3ba4-cd0a-24ee-85557e0e838e@taugh.com>
To: John R Levine <johnl@taugh.com>
X-Mailer: iPhone Mail (22F76)
X-Proofpoint-ORIG-GUID: mjltfIHsER65-GkcpTTZ0FnwG8b3RnW6
X-Proofpoint-GUID: mjltfIHsER65-GkcpTTZ0FnwG8b3RnW6
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 clxscore=1030 malwarescore=0 adultscore=0 suspectscore=0 bulkscore=0 phishscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.22.0-2503310001 definitions=main-2505300070
Message-ID-Hash: 2VSVSAEQL7ZCY443BTSEUM3LJ4XH745Z
X-Message-ID-Hash: 2VSVSAEQL7ZCY443BTSEUM3LJ4XH745Z
X-MailFrom: jabley@strandkip.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SzBjddvA_5O8pJvir461_H_4rcA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 29 May 2025, at 20:48, John R Levine <johnl@taugh.com> wrote:

> On Thu, 29 May 2025, Paul Hoffman wrote:
>>> When I look at the TXT records on any large organization's DNS apex, I find it hard to believe
>>> that all of those records are just one time DCV that they forgot to remove.
>> 
>> Correct: there's a good chance they left them there because they don't know if they're safe to remove, so why not just leave them it. Whoever told them to add the record didn't say when they should remove it.
> 
> Some of them are but I'm fairly sure that some of them have to stay there as long as you subscribe to the corresponding service.  Either way we're guessing, so I wouldn't want to make any strong assertions either wy.

I don't see great value in naming names, but I have certainly seen both behaviours.

I have definitely received automated email telling me that my domain is about to be detached from a particular service because the TXT record had been removed. Other TXT records I have been removed in the interests of hygiene had no such effect. 

I agree that consistency would be better than this state of affairs. 

It also seems possible that there is a need for two signals: that a domain is authorised to onboard to a particular service, and that a domain is authorised to continue to be linked to a service. 


Joe

v2.31.3 | Report a Bug | By Email | System Status