[DNSOP] Re: I-D Action: draft-ietf-dnsop-domain-verification-techniques-09.txt

"Murray S. Kucherawy" <superuser@gmail.com> Mon, 21 July 2025 11:23 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 02C834757E86 for <dnsop@mail2.ietf.org>; Mon, 21 Jul 2025 04:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppZuBo9_sqdR for <dnsop@mail2.ietf.org>; Mon, 21 Jul 2025 04:23:24 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5D9804757E6E for <dnsop@ietf.org>; Mon, 21 Jul 2025 04:23:24 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-553ba7f11cbso4226896e87.1 for <dnsop@ietf.org>; Mon, 21 Jul 2025 04:23:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753097003; x=1753701803; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=hmUzRajFn8MT0qwwcXBApUVMjbWSppullkyjJ26z5jw=; b=ZRluC4GKrepl0I31gJ8Dtk3ANGBaEDjITKsaGbvk50ogC/D5BWnxzCTPeieI4iZxo5 HJydRzxrqUP7Ls5hwVvImvBIdUV4tR9Nxcs6rybxoPzEM7pdzKPyliBnqaLyZ5hImVVc k7XPpnCmX8x49jweRcRlrLUEB/w8xWYeup3/spqfqHbXbxW4bQ9fi+fvupngTK/WCtWi mFyASsqw94VtPfm6rj2xHH0sJM63A6jN3v/fEmmFmaK5tJSGaMjWpNdIkTJ+4mHFCPvF yqrHM6oLkrMRNoNo9lFNRweDg6wIxKy0vQyfii501bRvNAg9beKN45Vas980WS2TMraz ZmXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753097003; x=1753701803; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hmUzRajFn8MT0qwwcXBApUVMjbWSppullkyjJ26z5jw=; b=F7UwHs7/Eu77VRZtvjOJkVMOalWGp0Jy578Pswf17VZuot4RjLRPcJStBw/6uVziew VVkglkeSxjnzOn2LMwGvl+WZdINqKIP1+nMFzbxkm6RM28Mb3BRuf9C4gj5OhkB4R8dl 1fbOxWwO0mlTcCGvl+lMJnsY86supJgvy2bxGbFAitvCYXgyLhkMCz+oMHH7owLdlwFn drk/kwua8KV1TIbUQWwLNAteufTh9CVi7RSDNNQj44wYjl4vympV8d+d3AYlN240qnVA znleWVErgKEEn4lNDR1JOskCvOSOX6+7/ARTiE1szLYIXuPrM2C31jcYQBdgJaYLXqqm tj6g==
X-Gm-Message-State: AOJu0Yzeez1n38ROP7QcfRagrNMj+Y/rBR6YEW21q3BLcP/pF6ZsLFVM WkFsslrvjWzrKhq0rdfM1+r7aPo+t3Z5BuWsq5bzSxX8dpt3hMVjSXCHgwvBvd5MKKdFi6bobPl WWjWyyIpIQBPQQWnJZ/p4b8C5uVqLeyo5hhcQ3VWGGA==
X-Gm-Gg: ASbGnct2nXdzZ7XK9/Aw4RyB0qoPD5DjkePeOede1T73zfAa8fWsX98lrBhWPUw67d7 kD/ldX3vgyLL6BBfHKehAr7f6Re3rQHKUcR2dKIp/kYqUTPGQP2fP8PJYc4y8/c5WtGTXtXJTNm aScgFflnC0Mc9o0zWL4PPL5vxNmVM2QA2YOdm5JA+7hJ7IrMFTvPvRW3Y19LZdhXEpZ5yBtvDS2 GXQkB8quSIHIFxSF4NGIMXWk2zTcAxwd4zr5NuNd/Brxf6d
X-Google-Smtp-Source: AGHT+IEOLQzfLnlU2o5vamZ9CxfXklrmWV+qesTnpmtGU1hIBihw5s0YUVHdMTg//a0+64xniVDtkKVGef00fSQAefo=
X-Received: by 2002:a05:6512:ba6:b0:553:24f4:872a with SMTP id 2adb3069b0e04-55a2970d514mr4227022e87.40.1753097002425; Mon, 21 Jul 2025 04:23:22 -0700 (PDT)
MIME-Version: 1.0
References: <175191631657.1939538.2872364733542938191@dt-datatracker-6fcb845cd4-p6tkq>
In-Reply-To: <175191631657.1939538.2872364733542938191@dt-datatracker-6fcb845cd4-p6tkq>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 21 Jul 2025 13:23:10 +0200
X-Gm-Features: Ac12FXz-0ICDTmbi48dlsP1YW-LB-GCQK2tOryYIel1Mk0wtY8kUUzj-JHgU8gs
Message-ID: <CAL0qLwb8eWSSo6=Ls2tQTqGCK6OEJHk7Stg6iRCw8-oyXigmXg@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="000000000000162715063a6eb45c"
Message-ID-Hash: RCFTGFFDYBCWIHUCQM7YHSGPMNTESCFQ
X-Message-ID-Hash: RCFTGFFDYBCWIHUCQM7YHSGPMNTESCFQ
X-MailFrom: superuser@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: I-D Action: draft-ietf-dnsop-domain-verification-techniques-09.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dJdMy4eO7Sw9wmalvF0Rd4BTfQg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Mon, Jul 7, 2025 at 9:29 PM <internet-drafts@ietf.org> wrote:

> Internet-Draft draft-ietf-dnsop-domain-verification-techniques-09.txt is
> now
> available. It is a work item of the Domain Name System Operations (DNSOP)
> WG
> of the IETF.
>
>    Title:   Domain Control Validation using DNS
>    Authors: Shivan Sahib
>             Shumon Huque
>             Paul Wouters
>             Erik Nygren
>             Tim Wicinski
>    Name:    draft-ietf-dnsop-domain-verification-techniques-09.txt
>    Pages:   18
>    Dates:   2025-07-07
>
> Abstract:
>
>    Many application services on the Internet need to verify ownership or
>    control of a domain in the Domain Name System (DNS).  The general
>    term for this process is "Domain Control Validation", and can be done
>    using a variety of methods such as email, HTTP/HTTPS, or the DNS
>    itself.  This document focuses only on DNS-based methods, which
>    typically involve the Application Service Provider requesting a DNS
>    record with a specific format and content to be visible in the domain
>    to be verified.  There is wide variation in the details of these
>    methods today.  This document provides some best practices to avoid
>    known problems.
>

Thanks for putting this together.  A few points to raise as you head toward
WGLC:

(1)  Section 5.1 says multiple RDATAs are to be treated as concatenated.  I
assume that means this sort of setup, for example:

_example_service-challenge.example.com.  IN   TXT  "3419...3d206c4"
    IN TXT "rbviluteebttjhihtvfbtrbjcdiihibu"

Maybe I'm not remembering correctly, but could these not be returned in
arbitrary order, making the result non-deterministic?

If you actually mean multiple "character-string"s are to be concatenated,
isn't that what RFC 1035 says anyway?

(2) The ABNF in Section 5.1.2 needs to be broken apart (i.e., it's
formatted funny in this version, or at least it renders funny in HTML).

(3) The SHOULD in Section 5.2 is curiously constructed.  I would suggest
something like "names SHOULD be registered".

Also, I wonder if some sort of hierarchical naming might be helpful here.
It might be tedious for IANA (or whoever) to register everything one might
want to verify, versus registering provider names only and letting them use
any sub-name they choose without registration.

(4) In Section 5.1.2, the ABNF for "value-char" lists "+" twice.  Also I
suggest considering importing a key-value ABNF pair that's already used
someplace else that's more general, maybe DKIM or MIME.  If you decide you
want to include a comma someday, for instance, this will all have to be
revised, but why not anticipate it and make this more general?

(5) Nearly all of the SHOULDs in here had me asking "Why isn't this a
MUST?"  For instance, why would you not do the base32 encoding thing that's
currently a SHOULD?  Or what's the impact if you don't?

(6) For Section 5.1.2, is there any benefit to registering known metadata
keys to avoid collisions in meaning?

Thanks for your consideration,

-MSK