[DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
John R Levine <johnl@taugh.com> Wed, 24 July 2024 19:10 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69B78C14F6AF for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 12:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="dqkVo19Y"; dkim=pass (2048-bit key) header.d=taugh.com header.b="dsPBycjA"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ggkl9n375trd for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 12:10:54 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45E49C14F60D for <dnsop@ietf.org>; Wed, 24 Jul 2024 12:10:53 -0700 (PDT)
Received: (qmail 98833 invoked from network); 24 Jul 2024 19:10:51 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=1820e66a151bb.k2407; bh=2OILtxuhAVtmO4wqu6dRyg0e8m5lU3MmhkyvvNrJ/cs=; b=dqkVo19YT+QAwx6QRWSiypOoiugllDTpKSGfFFnZvuTzBErdChV2fuF7bifqwGwb729DG1SsAwz5IPri7pt4I6QIeAu2KI39/7lQLWthYxXYXsXD0YeRdFZ6iTU2b9DcWABIeXwAi7ljWXfHRihb7TH/dfycYB8U77G7nYqxxkuCkuexRxkXSYWROBsXOkmlwAhgNxzxpDslmRuMt7uyI+68kj/vZBsu79vgzuRYuwe2kB11nlYWJPKN5A3dufUVH+CXcYiqfMpBm8FuxHbiF5HP8e3c+rcQqYiybYhio4U0H9OHbGg9a1ocwa1RJJdQ3tOtdzCzncUP7ogW9LbNEg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=1820e66a151bb.k2407; bh=2OILtxuhAVtmO4wqu6dRyg0e8m5lU3MmhkyvvNrJ/cs=; b=dsPBycjAjpkaLw+QM4pakwTyG0azXm8T+EX2LUvSvMh/EZuWrXechQtkntnsEHEbD44W1aYsPROPASAVnuP5E/V7L+3fMCC0T6Tlil7BxraSVKrKFv4ZSSwUKhJH7QtWDJEz9TG6XfN9WEbg/geW2p6NNY7B0unPfsptUsEzXHXnjH5D9Xi6dnhzdXUPIobFaLRjRIz0TQOmDSqNiBKxVy9yWVyd3JhUBMpoOSmoovNPURUpakv8D3u8mAeqO789dn65vI0vyGOdvRlWSajnhrjGDWDdpGXEUzULtml1ckWl+Xa8xkVlRuoCKxxZY3rAl7EX5aVQODhxRxByM23bSg==
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 24 Jul 2024 19:10:51 -0000
Received: by ary.local (Postfix, from userid 501) id 128FB903E585; Wed, 24 Jul 2024 12:10:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id A06A7903E55E; Wed, 24 Jul 2024 12:10:49 -0700 (PDT)
Date: Wed, 24 Jul 2024 12:10:49 -0700
Message-ID: <25b91f73-fa56-c467-e291-d4d35e9d7ac4@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Shumon Huque <shuque@gmail.com>
X-X-Sender: johnl@dhcp-8bc5.meeting.ietf.org
In-Reply-To: <CAHPuVdWwiFAnK8VZYJv4OVk=9v5YCCT4pHykW4Ei3PLEyTZvfg@mail.gmail.com>
References: <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h> <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com> <20240709212356.43B838F44515@ary.qy> <CAHPuVdX=8Lv3r41g8YVkjRQ-YCx9r+nB94wqep7oG+_o20EHfA@mail.gmail.com> <453c7d44-355f-571b-70b9-e8e69ab90259@taugh.com> <CAHPuVdWwiFAnK8VZYJv4OVk=9v5YCCT4pHykW4Ei3PLEyTZvfg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: WQCVHJGL2K6JEB2AXARCWJUZHHRUWQWU
X-Message-ID-Hash: WQCVHJGL2K6JEB2AXARCWJUZHHRUWQWU
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lQ5-MY1B0rLFx_Z-IrVwF7gglVw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Wed, 24 Jul 2024, Shumon Huque wrote: >> The issue is that a wildcard will match every possible owner name. If you >> are confident that there is enough entropy in the tokens that no verifier >> will ever be confused, OK. But since the token is supposed to be the only >> thing at the _prefix name, how about saying that if a verifier sees more >> than one record or a junk record, it gives up rather than trying to guess >> which is the right one. > > I'm not sure I follow. > > A wildcard is a match of last resort. If there is an explicit validation > record deployed at _foobar.example.com/TXT ... I'm thinking of someone trying to be clever, domain is parked with a wildcard that has some kind of TXT records and someone else tries to hijack it hoping the record from the wildcard will confuse the verifier. > On your last point, yes, I think we can say that if a verifier sees > multiple validation records, they can abort. That along with the advice to be sure the token is sufficiently random should do it. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] Fwd: New Version Notification - draft-iet… Tim Wicinski
- [DNSOP] Re: Fwd: New Version Notification - draft… John Levine
- [DNSOP] Re: Fwd: New Version Notification - draft… Wessels, Duane
- [DNSOP] Re: Fwd: New Version Notification - draft… John Levine
- [DNSOP] Re: Fwd: New Version Notification - draft… Tim Wicinski
- [DNSOP] Re: Fwd: New Version Notification - draft… John R Levine
- [DNSOP] Re: Fwd: New Version Notification - draft… Tim Wicinski
- [DNSOP] Re: Fwd: New Version Notification - draft… John R Levine
- [DNSOP] Re: Fwd: New Version Notification - draft… Shumon Huque
- [DNSOP] Re: Fwd: New Version Notification - draft… Shumon Huque
- [DNSOP] Re: Fwd: New Version Notification - draft… John R Levine
- [DNSOP] Re: Fwd: New Version Notification - draft… Tim Wicinski
- [DNSOP] Re: Fwd: New Version Notification - draft… Shumon Huque
- [DNSOP] Re: Fwd: New Version Notification - draft… John R Levine
- [DNSOP] Re: Fwd: New Version Notification - draft… Erik Nygren
- [DNSOP] Re: Fwd: New Version Notification - draft… John R Levine