IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Erik Nygren <erik+ietf@nygren.org> Mon, 12 May 2025 16:52 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8EF1127A1A8E for <dnsop@mail2.ietf.org>; Mon, 12 May 2025 09:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wasYa9zV1EZF for <dnsop@mail2.ietf.org>; Mon, 12 May 2025 09:52:31 -0700 (PDT)
Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com [209.85.208.177]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E355927A1A84 for <dnsop@ietf.org>; Mon, 12 May 2025 09:52:30 -0700 (PDT)
Received: by mail-lj1-f177.google.com with SMTP id 38308e7fff4ca-326c1f3655eso34551121fa.1 for <dnsop@ietf.org>; Mon, 12 May 2025 09:52:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747068750; x=1747673550; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Arr9RNO48tjgEqNszNDLc4ZyMXT0SnLHWKGkBe7pRtc=; b=DRQhM2nk8BW7R1t7iEhT9VPHoJ+xyLC+j2n0kd2f7aKtfPXIHJvB2a13P4woflSEMs LCK/pdILgweWnH2oH4xWzNb3QKOk3oxBRBuKMbHztt8vHVC4j5DwCao+8lXL1MbIzbIz LSlrDTtkWGbEW6GDy12Bm4JWlO0CfiFkjEPZiRCuQTbPGsCakoWUyTZWiuw+Dew2GWI3 flBG1JGzoRc1T/MLZpprccgeljw80UxS012YIJGfQCnVnZXvfSF89f828ouYGDRrHpGR FjI9dGqjLOZPJPGlUkt3VDdNO+ZJV80xqb2q5CSJGsFI329zy6vTDq3k0wOrYRdiLIM+ iJ3Q==
X-Forwarded-Encrypted: i=1; AJvYcCUuPZ/oHD70vY3lTLUg5m3SloyZmahOU/ADoB+ZFtGKP283qReWeJd4h44oxCK5uBTd6CjKCw==@ietf.org
X-Gm-Message-State: AOJu0YxGmZ/WFV1vIBCIaKkiv90xnqZcCe3P7tHI/zOnTXECYZmpp8/x 8sPPcbot8Rki4NGw0YXGnekCnUXRW3TAojKxOj0xLg1EA0TpKEVHg//IYNxd+BCaHjArkQNNYIT NHn6nf8FQYDKEWYy43jZ5BDwgkf2O2Q==
X-Gm-Gg: ASbGncvoQS3aXxD5JHorjFyCFH2cQm5NYLt1uaRG/VoX7ral3T8QhvQ1idUK3sGCma1 xtRf8i/0AQf61DZeCSpk8N2/yHHKV9EnbUXhoboaFoEig03YCqmin7kPdQ2uEAugLDL9NAl1t8Q Otl2iOTMRky5SgZCxLU1jiE+3CnjAt/+BFBGRb0sPYQ0ergO17CCeP11uqONqFW/Kk
X-Google-Smtp-Source: AGHT+IEPmbMMpgMHDCAD9qA3BUY0VyksshuWRRegJi29N5P+JVLYcx+lYS5/bUbzSiRujhm12yxIX2eE/wv2b9ekRJE=
X-Received: by 2002:a2e:9fc5:0:b0:30c:2d44:c212 with SMTP id 38308e7fff4ca-326c455f575mr58188101fa.9.1747068749330; Mon, 12 May 2025 09:52:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJiQXWqT+kitGO_bjdwAzN8u11WrGfSpE99HGtoVbg9OHw@mail.gmail.com> <C42CC896-CA4C-4894-9A35-D5027FD48521@icann.org> <1f9237cf-fc78-3e12-f8bb-40699dc04d21@nohats.ca>
In-Reply-To: <1f9237cf-fc78-3e12-f8bb-40699dc04d21@nohats.ca>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Mon, 12 May 2025 12:52:16 -0400
X-Gm-Features: AX0GCFsIRu8I0ZgMYRhmJ7oTC-Uv6W-mle8-Vkac5m7qYVWQsw-PyxZpRR6UsXA
Message-ID: <CAKC-DJhLGHmWVT8JYkSHAfm7HiT8dLmiOqN6Aqc2kN4dyXK96g@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="00000000000033be440634f324d2"
Message-ID-Hash: MPX6WMCJPDVJGDDRIB4N2EG4UFPT6E5O
X-Message-ID-Hash: MPX6WMCJPDVJGDDRIB4N2EG4UFPT6E5O
X-MailFrom: nygren@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, dnsop WG <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dGqy0z2YzQ9gWAXhg2-8C7UPcpE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I agree with Paul W here.  I don't think there's disagreement between the
authors, and I believe that
it is important to cover\ the *current* practices where assumptions about
persistence are being made.
If we go back to the examples that were in an appendix of earlier versions
of this draft some of them
do assume persistence, and that is part of how we got into this.  As such,
I do think we have experience
there with some of the pitfalls of certain implementations around
persistence.
(For that matter, an NS record is a form of persistent delegation, although
outside the scope of this draft.)

Since this doesn't appear to be clear to some readers it does seem like it
would be worthwhile
to add some text to explain point-in-time-validation vs persistent
validation and to highlight pitfalls.
I don't really think there is as clear of a distinction between
point-in-time validation,
persistent validation, and delegation for ongoing point-in-time validations
as Ben implies.
They are all cases which apply and are variations and it would be good to
cover all of them
in the draft as the current version does.

      Erik




On Mon, May 12, 2025 at 12:41 PM Paul Wouters <paul@nohats.ca> wrote:

> On Mon, 12 May 2025, Paul Hoffman wrote:
>
> [ speaking only as co-author of
> draft-ietf-dnsop-domain-verification-techniques ]
>
> > Reading this thread and the GitHub issue that spawned it, it is clear
> that even the co-authors of draft-ietf-dnsop-domain-verification-techniques
> do not agree on how to handle persistence of validation, much less
> agreement among WG participants. This may be due to lack of real-world
> experience with persistent validation, even though we have plenty of
> experience with single shared secret validation for one instant.
>
> I don't think there was that much disagreement between authors. It was
> mostly a disagreement between authors and Ben Schwartz about whether
> the initial DCV record can or should be used as long term permission
> token.
>
> Ben argues the draft is a BCP and should specify the "best way forward"
> and use two different records. My counter argument is that the draft
> is a "best CURRENT practice", anod no one I know is currently doing
> this.
>
> For reference, the github thread is here:
> https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/160
>
>
> > draft-sheth-identifiers-dns is a good start at thinking about the
> differences between persistent validation and single shared secret
> validation. It seems safe to limit
> draft-ietf-dnsop-domain-verification-techniques to just the latter, and
> hopefully the WG adopts draft-sheth-identifiers-dns and has more discussion
> about what might become best practices there.
>
> Talking about life cycles is useful, but I think like the lifecycle for
> SSL certificates, can only be feasibly done if there is an automated
> system like ACME to fully automate this. The question then though, is
> how much real "admin permission" does such a record give you if the
> admin really doesn't know because a certbot like script is running
> someplace authorizing on their behalf?
>
> > I'm posting here because just last week I thought that
> draft-sheth-identifiers-dns should be part of
> draft-ietf-dnsop-domain-verification-techniques because there was general
> agreement on what were best practices. I was wrong, and the more that I
> thought about what I would say were best practices for persistence
> validation, the more I realize that I hadn't thought enough about the
> operational and security considerations.
> >
> > Given that, I propose that
> draft-ietf-dnsop-domain-verification-techniques be narrowed to only cover
> the best current practices for shared secret validation, and get that
> published sooner rather than later. I further propose that
> draft-sheth-identifiers-dns be adopted by the WG, on the assumption that it
> starts with the same naming scheme from
> draft-ietf-dnsop-domain-verification-techniques.
>
> I still believe we are picking the best of _current_ practices, and I
> still believe the document should document that if you are using the
> DCV record for continue permission, that it should be clear in the
> RDATA using key=value pairs with for example expire=never and that
> DCVs that can be removed after a one time verification, SHOULD contain
> a expire=<datestamp> value. Punting this discussion further into the
> future means there will be more DNS littering until that unknown future
> time.
>
> Paul W
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status