IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Paul Wouters <paul@nohats.ca> Mon, 12 May 2025 16:40 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E9F0027A0B2A for <dnsop@mail2.ietf.org>; Mon, 12 May 2025 09:40:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5oevEgyH4HJ for <dnsop@mail2.ietf.org>; Mon, 12 May 2025 09:40:35 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 24FE427A0B1C for <dnsop@ietf.org>; Mon, 12 May 2025 09:40:35 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Zx5293ypBz75Q; Mon, 12 May 2025 18:40:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1747068033; bh=ZsYA0bPGycn6RMHydKRTbaEPyxPzey4gsX6YT7k+ZGE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=kFBmP2jVUlyBr+X4HJ1uA/W7EhSrR4V2MP5+nVZDJtk+1ccld0Xtaz4PiW+i4f32J +d6iO6zsgy6zE8hoW+hJyq37t9dyIZwdzM+XWioXidxAaV1ldbhDni+IyvNz5O13ur U/DXFQM4SAQZ98tm3VXHLVxT1Msuvz90RmXA/CT8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id uCxv-bANkrui; Mon, 12 May 2025 18:40:32 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 12 May 2025 18:40:32 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 583D9150BC6D; Mon, 12 May 2025 12:40:31 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 57363150BC6C; Mon, 12 May 2025 12:40:31 -0400 (EDT)
Date: Mon, 12 May 2025 12:40:31 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@icann.org>
In-Reply-To: <C42CC896-CA4C-4894-9A35-D5027FD48521@icann.org>
Message-ID: <1f9237cf-fc78-3e12-f8bb-40699dc04d21@nohats.ca>
References: <CAKC-DJiQXWqT+kitGO_bjdwAzN8u11WrGfSpE99HGtoVbg9OHw@mail.gmail.com> <C42CC896-CA4C-4894-9A35-D5027FD48521@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-ID-Hash: MZZL7FLT4GFLB2NV423RJ3JERSRFEXGG
X-Message-ID-Hash: MZZL7FLT4GFLB2NV423RJ3JERSRFEXGG
X-MailFrom: paul@nohats.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop WG <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dSPOK3CCui7oeKqw7xddEOZbTsU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Mon, 12 May 2025, Paul Hoffman wrote:

[ speaking only as co-author of draft-ietf-dnsop-domain-verification-techniques ]

> Reading this thread and the GitHub issue that spawned it, it is clear that even the co-authors of draft-ietf-dnsop-domain-verification-techniques do not agree on how to handle persistence of validation, much less agreement among WG participants. This may be due to lack of real-world experience with persistent validation, even though we have plenty of experience with single shared secret validation for one instant.

I don't think there was that much disagreement between authors. It was
mostly a disagreement between authors and Ben Schwartz about whether
the initial DCV record can or should be used as long term permission
token.

Ben argues the draft is a BCP and should specify the "best way forward"
and use two different records. My counter argument is that the draft
is a "best CURRENT practice", anod no one I know is currently doing
this.

For reference, the github thread is here: https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/160


> draft-sheth-identifiers-dns is a good start at thinking about the differences between persistent validation and single shared secret validation. It seems safe to limit draft-ietf-dnsop-domain-verification-techniques to just the latter, and hopefully the WG adopts draft-sheth-identifiers-dns and has more discussion about what might become best practices there.

Talking about life cycles is useful, but I think like the lifecycle for
SSL certificates, can only be feasibly done if there is an automated
system like ACME to fully automate this. The question then though, is
how much real "admin permission" does such a record give you if the
admin really doesn't know because a certbot like script is running
someplace authorizing on their behalf?

> I'm posting here because just last week I thought that draft-sheth-identifiers-dns should be part of draft-ietf-dnsop-domain-verification-techniques because there was general agreement on what were best practices. I was wrong, and the more that I thought about what I would say were best practices for persistence validation, the more I realize that I hadn't thought enough about the operational and security considerations.
>
> Given that, I propose that draft-ietf-dnsop-domain-verification-techniques be narrowed to only cover the best current practices for shared secret validation, and get that published sooner rather than later. I further propose that draft-sheth-identifiers-dns be adopted by the WG, on the assumption that it starts with the same naming scheme from draft-ietf-dnsop-domain-verification-techniques.

I still believe we are picking the best of _current_ practices, and I
still believe the document should document that if you are using the
DCV record for continue permission, that it should be clear in the
RDATA using key=value pairs with for example expire=never and that
DCVs that can be removed after a one time verification, SHOULD contain
a expire=<datestamp> value. Punting this discussion further into the
future means there will be more DNS littering until that unknown future
time.

Paul W

v2.31.3 | Report a Bug | By Email | System Status