IETF Logo Mail Archive

[DNSOP] Dnsdir early review of draft-ietf-dnsop-domain-verification-techniques-05

Jim Reid via Datatracker <noreply@ietf.org> Mon, 29 July 2024 12:52 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from [10.244.2.81] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id B0139C157927; Mon, 29 Jul 2024 05:52:33 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Jim Reid via Datatracker <noreply@ietf.org>
To: dnsdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.19.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172225755319.1659334.15304757916099503154@dt-datatracker-659f84ff76-9wqgv>
Date: Mon, 29 Jul 2024 05:52:33 -0700
Message-ID-Hash: CEKJ3PRJUNHARTLDKATT75TLPGSESJYI
X-Message-ID-Hash: CEKJ3PRJUNHARTLDKATT75TLPGSESJYI
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, draft-ietf-dnsop-domain-verification-techniques.all@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Jim Reid <jim@rfc1035.com>
Subject: [DNSOP] Dnsdir early review of draft-ietf-dnsop-domain-verification-techniques-05
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qGW8CDCwzZxYK71f4eYJMFiT9QY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Reviewer: Jim Reid
Review result: Not Ready

I am disappointed that many of my earlier review comments have not
been addressed and the authors have not explained why.

doc says "Other techniques such as email or HTTP(S) based validation are out-of-scope." Why?

acme seems to be a better solution. ID needs to explain why it's unsuitable.

don't like "domain owner" throughout the doc, even if it is imported from RFC9499

CNAMEs can exist with DNSSEC rrtypes

"issuance" is icky to a native English speaker

4. Perhaps wait for completion of ACME-SCOPED-CHALLENGE work?

5.1 Discourage CNAME chaining: it's ugly and unreliable

5.1 why 128 bits? Why not 129?

5.1 base32, base16 or hex16. Pick one. Pretty please.

5.1 _<PROVIDER_RELEVANT_NAME>-challenge could be too long for a label
    is -challenge necessary? ditto -wildcard, -host -domain
    Maybe use subdomains of PROVIDER_RELEVANT_NAME? ie:
    _host-challenge.<PROVIDER_RELEVANT_NAME>.whatever

5.2.2 Why bother with CNAMEs at all?

5.3.1 Why key-value pairs instead of JSON, CBOR, etc?

5.3.2 Make it clearer this isn't TTL or SOA expiry values

5.4 SHOULD or MUST remove?

5.5 "identifier token should be stable over time" - vague!
    what's meant by "stable" and "over time"?

5.5 not clear how/why 5.4 and 5.5 differ in substance

5.6 exact and full (FQDN?) for what? - just say complete?

5.7 APIs MAY be used - current text seems too vendor-specific

5.8 "caching or resolver load will not be an issue"
    [citation needed!] This claim is a subjective opinion.

5.9 why not use a dedicated RRtype?

5.9 CNAME love seems vendor-specific

5.10 does anyone use DNAME?

6 Why just use (insecure?) email for OOB communication?
  Incomplete threat model: spoofing, replay attacks, bad expiry info, etc

disallowing "_foo-challenge.co.uk" is unreasonable and wrong
can't have special sauce which lets some domain names work but not others

public suffix list isn't standardised or in an IANA registry
       unsuitable for an RFC?

Documenting current behaviour/practice in Appendix A seems unwise for
an RFC. It'll inevitably become overtaken by events.

An appendix with illustrative examples would be nice.

v2.35.0 | Report a Bug | By Email | System Status