IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Erik Nygren <erik+ietf@nygren.org> Tue, 27 May 2025 15:16 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A4E822D5D3DA for <dnsop@mail2.ietf.org>; Tue, 27 May 2025 08:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Pbsxr9zAMLQ for <dnsop@mail2.ietf.org>; Tue, 27 May 2025 08:16:15 -0700 (PDT)
Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com [209.85.208.178]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 091662D5D3C6 for <dnsop@ietf.org>; Tue, 27 May 2025 08:16:15 -0700 (PDT)
Received: by mail-lj1-f178.google.com with SMTP id 38308e7fff4ca-32a72e61a3fso4307331fa.0 for <dnsop@ietf.org>; Tue, 27 May 2025 08:16:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748358974; x=1748963774; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BnUaHFZEGw6/74+j1YPjLQR7Zaz0KabpkM/etd/qOZ0=; b=e3ZVX3Sa2/igN6JHrWxZsCIw8dqc5HTK5alo2OImBeZh+gX/TRK+Q8DjzEezYGwZbY Gd97TCrhLGflR3veRSOZ4GkZi6wAtyxJh++h0e8G4d9ua95A+E9iLLJ75iDjXzlLSXEn AE2vPXpiq30rrPexMBKYcl+mSv2LN+n5pWcOljlErb08NA9P2S/Y/JlmFaAAIV5WDC0z 6e8KdPF6SESAdNjhG3lB5RfUBDXkjzAnG5fbywTgK5rBTSXZ72tsL7evMQ3FbWGBNRR+ JqFQ+AWdn/CJuKE01iTylFKomOFscKjVrqvd+3ellVRPqY7pjECkaFyT6thSx+ziijKj Ck0w==
X-Forwarded-Encrypted: i=1; AJvYcCX3857ozOLwjhN9vWrTw1g5B253I6up1t1B425eDViNXoN82Cf/WId3+l7Nn40pBLBkUQv5dA==@ietf.org
X-Gm-Message-State: AOJu0YxgCK6jv8qzDcS7B/2+wyTHuBUm6XgrY7F9tRtxEane+zY7sEwo p7GD5593zduQHGCw7GZBRrxLI3hQtpZrwVcoGx9xddbjk764kxXgjS9JS8jVO3nXr9yUTH4ifmU Ux4lXTucaUbcFNcmkRGSpVaEUOscxS1M=
X-Gm-Gg: ASbGnctmkowaydH0NfdagTVtb8pcJYG1TkOVTF8vLMMTHG8/T22bSHXzZsITo0At4G2 UMdb/n2WgqGngUdTiaSfLd43RSyAk+4gHMdESh0F9hbywHYCcYblApIPtq8JeE+UzNgpXndA4kZ cSYfI1/kwZvnIvM6GZyrgeU6Kp71oZrY8Q+KucwTtmg8MTvGg6Upy58RxlE/p+YjSCbQ==
X-Google-Smtp-Source: AGHT+IGd7R+bRwY55BHOcnRaCgVmnVAvr0m93WJWgXNnZc3ElMZdMPtxyxWpeioky8w9JwmbmjWr3rQukK9SBPi3VBs=
X-Received: by 2002:a2e:ad87:0:b0:329:18f7:a77e with SMTP id 38308e7fff4ca-32a736ab91bmr4950871fa.1.1748358973243; Tue, 27 May 2025 08:16:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJiQXWqT+kitGO_bjdwAzN8u11WrGfSpE99HGtoVbg9OHw@mail.gmail.com> <C42CC896-CA4C-4894-9A35-D5027FD48521@icann.org> <1f9237cf-fc78-3e12-f8bb-40699dc04d21@nohats.ca> <CAKC-DJhLGHmWVT8JYkSHAfm7HiT8dLmiOqN6Aqc2kN4dyXK96g@mail.gmail.com> <SA1PR15MB43706B717CABF88178152F57B397A@SA1PR15MB4370.namprd15.prod.outlook.com> <7f785910-73c9-f322-b0f1-839cd3f7cce8@nohats.ca> <CACsn0ckhF96yf-tVFUOSiEi9hzrKoTS3wYqM2weNC3uhKmXxvw@mail.gmail.com>
In-Reply-To: <CACsn0ckhF96yf-tVFUOSiEi9hzrKoTS3wYqM2weNC3uhKmXxvw@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Tue, 27 May 2025 11:16:00 -0400
X-Gm-Features: AX0GCFvTBC07DEjdikBXIlP61KKwNZbEf_0qfr0xIX6eNvxHNo1eNX6Ey6-AplI
Message-ID: <CAKC-DJgwDeu+F8aU8r70wJ7pq_xDj3ok06huZzYF09OsgMPJvA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008a475106361f8b55"
Message-ID-Hash: Y5G4QQFNVQKMLN6CANV4LXZAIN4R3QJI
X-Message-ID-Hash: Y5G4QQFNVQKMLN6CANV4LXZAIN4R3QJI
X-MailFrom: nygren@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Wouters <paul@nohats.ca>, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>, dnsop WG <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_f1IwGji8muhMTj7XrjXRIbgFYM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I've been thinking about this a bunch, and I think DCV is not necessarily
one-time and the current focus on that is counter-productive.  Instead we
should be describing what properties are present due to the persistence of
a DCV entry, especially since it is public once entered into the DNS.  This
relates to how Intermediates fit in as well.  Over the next week or two I'm
going to see if I can propose an alternate PR (or set of PRs) that may
address some of the concerns here.

In response to my objection to Paul Hoffman's PR to remove intermediaries,
Paul was asking for some specific examples of where they are used and their
need.  A concrete example is how Akamai (and likely other CDNs) handle
Default DV certs.  For example see:

https://techdocs.akamai.com/property-mgr/reference/post-certificate-challenges
https://techdocs.akamai.com/property-mgr/docs/add-hn-with-default-cert-la

In this case there's an instruction to CNAME "_
acme-challenge.www.example1.com" to "
ac.afae21b9a98d2d845d8032da0d689252.www.example1.com.validate-akdv.net" and
then the latter is automatically updated to respond to ACME challenges from
a CA such as LetsEncrypt.  This intermediate token (eg,
"afae21b9a98d2d845d8032da0d689252") is crucial as it is bound to the
customer account and configuration on the Akamai side.  eg, if example1.com
were to be transferred over to an unrelated actor, their ability to persist
this CNAME would not allow them to continue to configure anything related
with this certificate on the Akamai side.  Additionally, by removing this
CNAME (or starting fresh with a new zone not containing this CNAME) they'd
be revoking access to the previous owner of the zone and would also prevent
renewals of the certificate from succeeding.

This case is illustrative of the sorts of properties DCV can provide, and
the roles Intermediates play in it.

For ACME certificates, there is a likely need to keep refreshing the leaf
DCV entry as the desire is to associate a specific cert signing request
(CSR) with a specific refreshed DCV entry.  This is due to the nature of
the ACME protocol, but there will be other DCV applications where this is
not the case.

Another DCV model is where persistence of a DCV record implies that a
user/account to whom the record was issued continues to have control over
the domain.  Removal of the record (or not reinstalling it after a change
of domain ownership) is effectively a revocation.  But for persistent
records it is especially important that simply cloning and reinstalling the
record does not give the new owner of a domain powers.

Intermediates are a necessary way to transitively adapt between these two
models (eg, account tied with persistence and one-shot re-validation).

Being able to add and persist a DCV entry demonstrates:
   * the ability to add an entry into a domain (that then becomes public)
   * the ability to persist an entry in a domain, which could either be due
to continued control over the domain or copying a previously accessed
public record from when the domain was previously controlled

One-shot validation is needed for some applications, either where the
presence of the DCV entry (and thus the ability to clone it) has security
properties that make it no longer applicable, or for applications such as
ACME where there is a need to periodically tie DCV to some entity or
assertion outside of the DNS (eg, a cert signing).  Persistence is needed
for other applications, as changing a record at a high frequency is not
possible especially for cases where a CNAME is used to integrate with a
third-party provider.

Persistence does have risk factors that any design needs to mitigate:
* Accidental persistence.  However, forcing an operator to have to
frequently reapply the change is not a fix here as things will need to be
automated themselves in ways that add complexity and new accidental
persistence risks.
* Cloning of a public record by a new domain owner after domain transfer.
To mitigate this we need to ensure that the presence of a record by itself
is not adequate.  The validation state can not be captured entirely within
the record, but needs to be tied externally to the validated entity.
* Dangling CNAME records (especially if not DCV-specific) which could be a
problem if ownership changes in the target of the CNAME.

I believe what we have in the current draft covers many of the issues that
arise but could use better text providing context here.
I'll see what I can do to propose some alternatives to get us unstuck.

Best,
       Erik

v2.31.3 | Report a Bug | By Email | System Status