IETF Logo Mail Archive

[DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt

Ben Schwartz <bemasc@meta.com> Thu, 31 October 2024 20:27 UTC

Return-Path: <prvs=60345cefea=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19BDBC14F5FC for <dnsop@ietfa.amsl.com>; Thu, 31 Oct 2024 13:27:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEGn16Henu5W for <dnsop@ietfa.amsl.com>; Thu, 31 Oct 2024 13:27:39 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by ietfa.amsl.com (Postfix) with ESMTP id 31924C180B59 for <dnsop@ietf.org>; Thu, 31 Oct 2024 13:27:39 -0700 (PDT)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49VJ4Lbk031989; Thu, 31 Oct 2024 13:27:37 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=t/I4Xkp0pcqDB8wqICdi 3wWQEHnUwyoxIbADnzh8zYw=; b=USprbAI2U2bAydo5PuJYgH7MejpvAEAWyGb+ ovPBmJXASajqejorNbvbamDAKT5YFPdXADjjQEFAwPy3v0FYtb3Grjt2YhUx+Gv6 foyXxC53SVHejkVgugnTZJKWSmE7jOPKS//qGuvDptuMNO7I4zxy2n6tcsuUi4R4 2QG2nJ2hqFfVekZmAvUzyl9MP3qJ2Ifa17Y7xxiFAr1QyrykXkwRHcQESzgPImR1 oU+rEYwUbvjV2t9TYkuXfeYoJMdii8Vloj15xaYM3z4PFGWPV57O4KpucO2+UXk2 WpzlPZLIsuFQeEBTo/PxjVkIZjQ+n4dwOSOAKqYbfz7glcxb5Q==
Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2041.outbound.protection.outlook.com [104.47.56.41]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 42mdmqsy0q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 31 Oct 2024 13:27:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=mBXOD1KtZkSzoMZv3DCJIA7RZMBI8KhPIVIBsngRqBd3Ad400LXS6lSrl18QeVW4Ns9zsl0wIA69HZZg62ucNNggemuPkRWWEXkTtj8uRG7M3eB9O52zcfwLV8fT1cweNF/kPVDFbC3hCHAiHkr+u0cV4dQDUu9DgRXfISx8HxjNhNvHDG3SNgcdU6c266U0e37tGled6eurOAYpHZmQAvkbH0/aBoT731oBSN5qzUxD3joaPhOcv+gvNpB0umfKDyEYzJ/DfKvG8eZj1LdhHRqZUMcUkhmmhkv1XqRSv0bge7uTn1N4gqKN4w/GRDAZPTDNVvVeDLq4msiTYaRppQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eu28pneOzXT+aNwM8c/MrZ+dq8DAJe7dIgFFfUgcOXU=; b=q6j41fdFmECK2m3+AF8XW3vbGHq0kMAiqVQhp3qjVpNLjh+AuWVSJr/PGpNKyoU+i5t2NyvoqBNWL34EKmOLRp+A9zW5ke8JAi4F888hIgHwXftLarMP4NqP6u3QK24hcUduQF1r/HFq0z3cgjNcLi9dEueleCfHWUtq1s0W2JpGCtx6EKuTmIYk5kJKuXdCXTj67+QAu9NlLV0f4XRJdhDmE2gh6QfygZlrAZn+tjqO7bMPoQe7Elyowe7bVf72ExctaFfCb587KeoblCox9mg4HqEgOTvfJp/uVxD4+8HK5UdU9gk2m7sQwQkb/LiJQyRKZy6bP2A/xMusW4BQXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by MW3PR15MB3882.namprd15.prod.outlook.com (2603:10b6:303:49::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8114.20; Thu, 31 Oct 2024 20:27:34 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%4]) with mapi id 15.20.8093.027; Thu, 31 Oct 2024 20:27:34 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Paul Wouters <paul@nohats.ca>, Tim Wicinski <tjw.ietf@gmail.com>
Thread-Topic: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt
Thread-Index: AQHbJvhm0Mc/6veKHkasgkDDAcQ8xLKgJUsagADwmoCAAD1SAIAAAG3X
Date: Thu, 31 Oct 2024 20:27:34 +0000
Message-ID: <SA1PR15MB4370190A60EC486D8174DF0EB3552@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <SA1PR15MB4370B47E0E2B04112767EF1EB34F2@SA1PR15MB4370.namprd15.prod.outlook.com> <E2D7B4A8-551B-4049-8784-015DC3D2610E@nohats.ca> <SA1PR15MB43705F5C8AAB79BC14B2BDBBB3552@SA1PR15MB4370.namprd15.prod.outlook.com> <CADyWQ+Go9z=hDYgKyPeTxp=ecZZk2s-ttf6xDWyFLciEU34d7A@mail.gmail.com> <c2dce756-ca35-196f-a1e0-68cf4bd25c39@nohats.ca>
In-Reply-To: <c2dce756-ca35-196f-a1e0-68cf4bd25c39@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|MW3PR15MB3882:EE_
x-ms-office365-filtering-correlation-id: ae935d32-c251-4de1-81b1-08dcf9ea7418
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018|8096899003;
x-microsoft-antispam-message-info: 6LZaZh01rsbjgbLvY6uaKKRCqMieZxaH5q8ovKeR4njY9uSp1Wz4Kl/3KHXnNZj2u6lIHRkhlMJNKhYFqyetfomOkjGRfw55jWaZ8kUa5NGYZ/rNjz89Z7ZbZ+W8CSpYD/q3m8a4LyCPlXEMFNLJ2FQF6Xsex4HTwV1QiQ9bzFNg/bm2OQHCTIpi0XGLdIBgvWkVQ6iFILvuZ4w1sPF+Rqb/JzTK1e4A8MEtU0VrFyrvOP905UqS/wjakQu1i7PGHCNWT1q8/TAJwbFxvcQezziK3A9GtfOwRGFNBTIT7oMoTOKqmyaD6FbsaMXMki6r+Z01CopZHnWkkOwlefOtpEZiFcv0fAS0foi6QkbFETx8+Ma6Wn4mfmT61JrmWf94EG9MLJipfLjExw52Xgf+mvHALFVI6vyiFjDKuJafC5+CUMcdyPRB/AakAJp7XM+6FWcsQo5djlC1SbmZwFDZPpZS9m1NyMyCe7e9OzcNe7xytco1g2dpbiIhbcq+IpDT6X9Fq0BZKUukoYDYI2XpHmU/N5T1H60DLJh3tmxeBy+ELRhO/yzURlgTxKe2nObPufo1yH0p6LFPhmmkwSJ8UoAoZ9pPK6j8CHd0I3w0JrMU8BCNx+jKDwNxtX6f3gQyox7vxO4ElNDcyR6tBA3P5EDw20IUUUiivWjP0RkFIWLal/yMlU+0BCFSqf8LHgiCcaG5Z9UqYZhJLryI+IMk5uUIi5TY7sYReywZ5YwrN+EsYh13CEIK1ZiVJIi/jba2z2u9OThz5GlvukA830Ha8IGt2vlX/StFgHvwRYJJxj4pamisKbLLM5+GfeetEVhfeLbDYIkBgwO0kzM7F2CEGgSNe2r7+B5qa4hF4cF+mnjj5wv048dq2diXKWPRtL1l1kivZd0HgVibjapXS9SgQNIr4qIJT3NDzhE0vc27wF/DgjIb4ZwPCCYi6NAVTv28uWtC4W/97bl62Uj2wySpd65ZSypMRaaBOHvRWNoS4b3VlaFARX7k1WZTo3mCkhOIOVolHieQ+k5TBcYeYhNhritWZawx53jI2ft4ZjO5KHbKLQ1eW3apT07aVSfXZBF3Djd7cSyVW+Tt+puSvfLF4mNVtBtKohYyD8xs11KYupZndAk5SHK6JLkYU6SXtyPs/rjm3JIxPkIMbyOZtYIUl/5ab+jMerYWoX1gZVL4ZYdRma/JOsAZP70aSVBg4nxBwr8J9CWxVR/7VRc3RMmwd25ac6joqjrxYP1ChS1QWh/FB35SDUTiz56Wgf0pzUlFJoXesS5h1vJQYIVQXPURct1hrb90y8WaIYWSz4i7K42JG0/93CaoMKXwGNdkGDPRBaEVcN8Jl2n/EangLR2n/0GjXCXCbJ01/WTgOdHkGlk=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nUkZURXCpmHOAVlGr5iwiV59H4M4+e+N49OLn8y+EBkoGQtvhv1mas0paw9jYV92UD7rcYS2PtZVW81oqgZJPvwE44BgFGn3ikJVHuW70hwDqcgVHwDB5lAF8oiZlV838MS4pdHtOLXKOAA9egrtteecHOvioa9c7TrUsNJlfZDtww0/n2kxsj4/SVOeGQT8CX+Ddgb7cExXvQfguoYGznjYnBVmkHfwik1ehxZ/jbqf8yfpKjiTPRnP2976m+D6Vz+L4gq2asc7+nL62uPGOyUsrRs4VTmB24PJuUmgEc5LwhDzbvlO0WTYGk4NhEZA9nkErwCMjseYg4+OwGJX/KuVloolX1eYTFbSxvKpe5X871LIj34+dmUQUVzb78lU9yk6W4EPXJ1DqNGR3Slo0f/e4YPgGfFFwpQjDYwSVi/N6ZlXk/jlbd5UXQcxwO34LGs4DvD3YY/mFeg2Ak+YUCuIz4zW6lX81bxF2oFMBqmdJlxl8mFJnoMN4H2iOrcpaRcfh2Y3d7jBogVRdogl50d+gZnXncncI1363sq62DMrkj5TDQCHea7/t+SkK8/7dcyEuoqgk2RSzrYRjbDfS9prHkp/gB+b9Bxyy2oo2Fd1/989IpW1ASf0e7ZVc9tnEpxrwtEoElqWp4ItrVE1HLsLl2vVeIvOn9JKCPDBDAvaA9od+9eeBUjuKewmoKddAiMNDKAgzyDaYRgT3WfYSCS0D2ehhY8grIBFfSnGz4hgsPfvaiCrfXOlKJcRZ6R5vyrLVpRc813EaxLtVr99j/ARM/SYAVY4CfZV5CQ0fkkyyjex0psYAgQjn1QdfSZ7sOIRTE09kx05UMHWiPfr1YytPW4cvvF+JG57SqT3rLMQk/3UNmU99iuxIht3aR/ALf+0wTV1iIkYgbAyVnkdMM7A3BMdbnGNqhN1qhKSoInQNoZiIRauSj7D4+ABYsoRn1NPe82khw4UmEqpB9CDRToe+45sMYViMYRs0mi+DQX26Lz/RuM7gNxaBrru/01Zl0XtSSHN6rxUy/Y1Eam4GBrmQykOVwHTaggyqBbAQH5WGBfet0geCaQFO9KaEU/nUBucBTww+WxNzQwMAz1ZJHRMBmJKoGAsQsBeWokOhZBev5oMV9WcbK9LNeS6e+5RwHg+auv/vxGHc/x6duRqJ2YpDFgVJkho3FEBCfZKPZ1l+RxAjWVSlcvUPquy21DtP2fHCaK3BqvQ5R9bH+5hhSq7fNnpgSZcglz4+O5N0T2M5AuixUN7LKTGPnTp3rWpsPkTnSuvd85IcrcFOefjrGf7aq+FXQGryXjvC9sj7D/1xNxfRq4OtXn+XdpP+AGbYfQ+mC/5PBcC4BxFmYKbjq8dFdZVaSJiK0HLeRPG/xoVUP962IUt0ND/LbmBL6Du7HJIsE9AM5P1ihwNYSqwHmZAKTx/5GtLFvUTYpYWOnij1NWWivhBIZXU1HF49VV/ZL36AsqaGfedvkcyFGsBEp4G4xuDqS5hs+D3wWUbIoYTpuLc91ubEcFWBB7n1ki8TBg2DG0rlt/rSjdnnHiYn/0JNtJkh57E5FS4I7UA42U=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370190A60EC486D8174DF0EB3552SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ae935d32-c251-4de1-81b1-08dcf9ea7418
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2024 20:27:34.4977 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5I54NN50TZ+ZYq/y1hHXrzl8PNVUF0H9Iw4z6acTzTt327nxGKjoQ7ybajOCzqFE
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR15MB3882
X-Proofpoint-GUID: 1KIvPKIwlsRaSp9HL10Q30oajutDeBpw
X-Proofpoint-ORIG-GUID: 1KIvPKIwlsRaSp9HL10Q30oajutDeBpw
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-05_03,2024-10-04_01,2024-09-30_01
Message-ID-Hash: LQ4P3L3LRDWYTOI7CVT3OFOSEKCPUZJV
X-Message-ID-Hash: LQ4P3L3LRDWYTOI7CVT3OFOSEKCPUZJV
X-MailFrom: prvs=60345cefea=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XUSIYS_4LVrLXahyQn2Y-zTdjd4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

This is why I wanted to raise this topic.  I don't believe we have thought very carefully about when DCV is actually safe or appropriate, and I don't think we should be recommending a mechanism without consensus and guidance for what this mechanism achieves and when this mechanism is safe to use.

In the case of both Google Mail and Office365, the customer is free to delete the verification TXT record after the verification step is complete.   And yet these systems treat this verification step as permanently binding the domain to an account in their system.  Depending on your threat model, this might be perfectly reasonable or obviously vulnerable.  I don't think this document should move forward without providing clear guidance on this key question.

If these providers did what you are suggesting, they would be in violation of recommendations in Section 5.7, which says that "a new challenge needs to be issued" every time the ASP checks the verification record.  But this is also strange: common sense suggests that I could leave a record in place to indicate my continuing consent.  That is true, but such a record is no longer providing Domain Control Validation; instead, it is performing authorization (like MX), and is outside the (present) scope of this draft.

Basically, I think we have some work to untangle the purpose of DCV in the current text.

--Ben
________________________________
From: Paul Wouters <paul@nohats.ca>
Sent: Thursday, October 31, 2024 4:07 PM
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: Ben Schwartz <bemasc@meta.com>; dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt

On Thu, 31 Oct 2024, Tim Wicinski wrote:

>     draft-ietf-dnsop-domain-verification-techniques-06.txt
>
> I'll review it today and I now understand your reasoning a lot better.

I reviewd the text.

It makes assumptions on knowing what are valid and invalid use cases of
domain ownership verification. I think that is wrong. The document
shouldn't do that and stick to the mechanism only.

It also seems to make a suggestion that all of these are time-bound, but
this is also not the case. For example if you want google mail or
office365 you need to add a record. This record acts as challange /
proof but also as continued signal you still want them to do mail for
you.

So I don't think we should merge this PR.

Paul

v2.46.0 | Report a Bug | By Email | System Status