[DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt

John R Levine <johnl@taugh.com> Tue, 23 July 2024 22:56 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA42C1DA1CF for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 15:56:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="l8ohnFwg"; dkim=pass (2048-bit key) header.d=taugh.com header.b="o/eINibI"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ow_UeXkzVZuY for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 15:56:35 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2665EC16943A for <dnsop@ietf.org>; Tue, 23 Jul 2024 15:56:34 -0700 (PDT)
Received: (qmail 57842 invoked from network); 23 Jul 2024 22:56:32 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=e1ea66a03520.k2407; bh=bDKUdutphY9JcvUyov4Xkjzp/sYS/Z2URs84s6212gU=; b=l8ohnFwgRgoe5OsEG8P0Lx0piAVeur0G4lnfBHePBbEjSBzg3QkTUa0Gzl7ugwFLfiUCgB79+BR7RaXgQmgpTOXcRQrRsqQiD5yiNip36+tg+FvT0953UCvzhZDBkanm02suxk8eVOZe0KDnYwbZ6RbiFlaq0QdQFwvg1jjub+lPZK7xDjy1K0Dbp4+75TgXgVkAg7W1gjPkcgCsuNPNbJLLintfLu/tZL8PuiKoreMNbgAY2qy9/NR9pLff27wOI6PK3CzBwtl1qDeipP1PWsBndUE3HZrSW5zXa7sfoKKO/iUowZxT69XAU97upQ0CMyVSRCfxQIPWAiig/EW9hQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=e1ea66a03520.k2407; bh=bDKUdutphY9JcvUyov4Xkjzp/sYS/Z2URs84s6212gU=; b=o/eINibIKDSvz78fgxqUH6LIU4jKJUeTO7H9Bcr8PnAx6orCyL7AA7TdL2r3OBCz+YWxU97xffifoXm23lZUXnxwfsdyPxGKiGI+QFgRx/TWDPi3dsNweDHrQFl3D59Q3Oq5P5wpTQw/FNfL4LpzTSa355pzvpPXV3NsWJnjcEiRrMd+SR+6gTgnzEpynb1k7smHCEK0kdmRwzYSBAujyImGXHVyy+lYuo7TxyZH7nDtvShCXO/cxqfliqD6e4HLawRMCFQzx6ygFJJuAJntd2AvQwWJb9shEEqGeOIuLGNutq9WeYBdtAkOmED3PKiA1WR+uatQeIrsszEEz2sAuw==
Received: from dhcp-8e0b.meeting.ietf.org ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 23 Jul 2024 22:56:32 -0000
Received: by dhcp-8e0b.meeting.ietf.org (Postfix, from userid 501) id 47A1D9039BF9; Tue, 23 Jul 2024 15:56:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by dhcp-8e0b.meeting.ietf.org (Postfix) with ESMTP id BB0369039BDB; Tue, 23 Jul 2024 15:56:30 -0700 (PDT)
Date: Tue, 23 Jul 2024 15:56:30 -0700
Message-ID: <453c7d44-355f-571b-70b9-e8e69ab90259@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Shumon Huque <shuque@gmail.com>
X-X-Sender: johnl@dhcp-8e0b.meeting.ietf.org
In-Reply-To: <CAHPuVdX=8Lv3r41g8YVkjRQ-YCx9r+nB94wqep7oG+_o20EHfA@mail.gmail.com>
References: <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h> <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com> <20240709212356.43B838F44515@ary.qy> <CAHPuVdX=8Lv3r41g8YVkjRQ-YCx9r+nB94wqep7oG+_o20EHfA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: ZGDZWWKUT27HNH24WABSJCKWSOIHL4C4
X-Message-ID-Hash: ZGDZWWKUT27HNH24WABSJCKWSOIHL4C4
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n1vGSLmt_77HwhQOoM_pKi89b04>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tue, 23 Jul 2024, Shumon Huque wrote:
> The simplest thing to do would be to follow the precedent of SPF,
> DKIM, etc TXT using protocols and state that multiple TXT strings
> (if present) need to be concatenated before use. We can state
> this.

That should be fine.

> Wildcards can cause some annoying problems, notably that a wildcard
>> will match any tagged name so queries for tagged names can get junk
>> answers.
>
> Can you elaborate on what you mean? A wildcard TXT match may yield
> an answer with a verification record rdata string which is nonsensical
> because no-one will be looking to verify such a record. Other than it
> (possibly) being annoying, is there a practical problem? This situation
> is certainly not unique to this draft.

Yes, but ...

> I don't think this is necessary. Some applications do this today, but
> I suspect it is to make it easier to identify the application from the
> sea of verification TXT records at the zone apex. Since the draft
> recommends application specific validation record "owner names",
> that seems to be a better place to make this identification.

The issue is that a wildcard will match every possible owner name.  If you 
are confident that there is enough entropy in the tokens that no verifier 
will ever be confused, OK.  But since the token is supposed to be the only 
thing at the _prefix name, how about saying that if a verifier sees more 
than one record or a junk record, it gives up rather than trying to guess 
which is the right one.

If the token is time limited you'd might get a new one for the existing 
name but I don't think there should be a case when you'd need to publish 
both new and old.  As soon as you have the new one you install it and 
throw away the old one.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly