IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for "Domain Verification Techniques using DNS"

Shivan Kaul Sahib <shivankaulsahib@gmail.com> Fri, 24 February 2023 08:11 UTC

Return-Path: <shivankaul.1993@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3459DC151522 for <dnsop@ietfa.amsl.com>; Fri, 24 Feb 2023 00:11:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.745
X-Spam-Level:
X-Spam-Status: No, score=-1.745 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_HEX=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uC4DjBpro5QP for <dnsop@ietfa.amsl.com>; Fri, 24 Feb 2023 00:11:50 -0800 (PST)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 344A8C14CE4D for <dnsop@ietf.org>; Fri, 24 Feb 2023 00:11:50 -0800 (PST)
Received: by mail-wm1-x32e.google.com with SMTP id iv11-20020a05600c548b00b003dc52fed235so1199364wmb.1 for <dnsop@ietf.org>; Fri, 24 Feb 2023 00:11:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WEZWVVwcDVlxSQsEy7oXzDU69MSRIKXiQDfyYgF9zZU=; b=LDRBUeejpl4UFJbmiBUHnM6gvYpC3Codn65H6BPvTaUzC/hkYNtDejf3YR/9G8c9o/ lzQhAYb6JVVfTJxXQ6hjeNQbPZ8rtESeuhZn42enhOKTL+SBwvar+Vttj33apJmgXvHm AmrImx/S0PNG5yIGCRSO4NByHG/Ue6sZeFqmkvQMrkaOtUCk1IZzGa80ndTA7/LVVcKP sPGOZidZs/JyhlHY9KuvPQ7OjtseK1mQiU60bNAYotpNNsL9hSvdFYL2mpC+9GXatbXL JkUdPEDrJf/d5S3/t+1bbwNfWab35Yn0qXf4nvdbJWSRpPkzpwiPK+1sgwG9RKo3YJbO AaaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WEZWVVwcDVlxSQsEy7oXzDU69MSRIKXiQDfyYgF9zZU=; b=tKbefhBNOVphDk6pOjbMvE+ICszMxF2Mb9Q4BlaF5invdMQzl0QU9r977oratcTn0e PpmTweFCAy6UHjZDVCtgy5tpzradHgvzR6qzxnrmio4eTBZUIwoVdUZuvHd/qfBry8ux DnFSDIxjm86TjtBiBVUSrRN352btzcaRa4Z0rU1hEaV1Cp8341dRiJBV/ikWHfpnxlIB fF0pBPI0HBAzQRL3QXBohNIXYmN4m99qR+jtHIrjelFBnVhodY3e0V4z6YX1pVvvq2ra 4bxXbpbjwIxqNfLjv1LLjtUy5CV13wqEqGjAZNwju3rPjfx9Q/HQYwr9qamRjI43fWxv gzzw==
X-Gm-Message-State: AO0yUKULfeglYO9Z+ybBo933eHv64AY/ztldLe5gKHX+nghIqUEOOH9M sEdFxq/BLLEX0DSynC4BvigH6+k3v0Xzmr3l39XC0I3F2naI3w==
X-Google-Smtp-Source: AK7set8N36LtzodoY77HWfM5eh/MjxYE57GVMMGLjTN50/H93HD0kq9OMuJ5OdDrbj2Sya3ffbzqvPd1YqX+rDjft38=
X-Received: by 2002:a05:600c:4f55:b0:3e1:eaca:db25 with SMTP id m21-20020a05600c4f5500b003e1eacadb25mr1060032wmq.6.1677226308393; Fri, 24 Feb 2023 00:11:48 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+GFpaCqfYuccnZzDRKuZVd+d578xq0GPGsEH5vwf55MWA@mail.gmail.com> <d00ae207-93fd-6105-ae08-e20775c047b2@nohats.ca>
In-Reply-To: <d00ae207-93fd-6105-ae08-e20775c047b2@nohats.ca>
From: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
Date: Fri, 24 Feb 2023 00:11:12 -0800
Message-ID: <CAG3f7Mjhh+2G7rvJE8tpG3cksOkTTXYc9REps9MqWBt_dvNUYg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>, "John R. Levine" <johnl@iecc.com>
Content-Type: multipart/alternative; boundary="00000000000051dcec05f56daef5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rKG5kvSSrU3_6SMLo4pSa50hLPE>
Subject: Re: [DNSOP] Working Group Last Call for "Domain Verification Techniques using DNS"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2023 08:11:51 -0000

I think Paul conveyed the authors' opinions here pretty well. Just wanted
to respond to the token generation bit:

On Fri, 17 Feb 2023 at 08:22, Paul Wouters <paul@nohats.ca> wrote:

> John Levine wrote:
>
> > While I think it would be good to publish some best practices in this
> area,
> > this draft still seems scattered and makes some assertions that seem to
> me
> > to be somewhere between unsupported and mistaken.
> >
> > I think we agree that the goal is there are two parties, call them
> > owner and verifier, and the verifier gives the owner a random token
> > that the owner puts in its DNS to show it owns the domain.  There are
> > a bunch of different aspects that one can look at independently.
>
> Two (or three) parties yes.
>
> > One is where the token goes, in the name or contents of the owner's
> > record. I think we agree that putting the token at the owner's host
> > name is a bad idea, but either of these can work, with a1b2c3 being
> > the random token:
> >
> > _a1b2c3.example.com IN ... "whatever"
> > _crudco.example.com IN ... "a1b2c3"
>
> Adding cryptogrpahically strong/long strings in the prefix seems
> unwieldly and prone to problems - especially if the user has to put
> these in via a webgui of mediocre quality. Also it makes manual
> checking harder (eg to use the dig command). But most importantly, you
> already need a good prefix to identify the vendor and service and
> mucking up random strings there just seems the wrong thing to recommend
> as BCP. So the only good reason for these is if there is a 3 party
> system (vendor/service, client, proof-provider)
>
> > If you use a fixed prefix, _crudco in this case, you should register it
> > in the RFC8552 attrleaf registry.
>
> Since we are recommending these are easilly recognised to vendor and
> service, these would be different for each vendoer. Sure, we can add
> another prefix in between and put that in the attrleaf registry, but
> that doesn't add any real value.
>
> > Another is what record type to use. I find the arguments against CNAME
> > unpersuasive, basically saying that if you do something dumb, it won't
> > work, which is true, but it's always true.
>
> I thought a BCP was about recomending people don't do dumb things?
>
> > I realize that RFC1034 says
> > not to chain CNAMEs, but we all know that people chain CNAMEs and it
> > works, e.g. www.microsoft.com goes through three CNAMEs and it works
> > fine.
>
> I was not allowed this line or argumentation with you when talking
> about the LHS of an email address :)  So let's stick with not
> recommending things that violate existing RFCs?
>
> > If you use a _name in the attrleaf registry or a _random prefix
> > I would think the changes of a CNAME colliding with something else are
> > low, and a verifier presumably controls its own DNS and can keep CNAME
> > chains short.
>
> People make mistakes with CNAMEs, let's not recommend CNAMEs so chances
> that people get affected my mistakes is reduced.
>
> > For the length of time the token is valid, there seem to be only two:
> > five minutes for a one-off verification like for ACME, or forever for
> > someone who is doing continuing analysis of something in your domain
>
> Five minutes seem optimistic and only true for geeks running their own
> webserver and nameservers. In real life, you have different departments,
> timezones, ticketing system response times, etc. So these things will
> stay in the zone for days or as we often see now, forever, because
> people like to error on the side of "I didn't cause that outage" over
> "I cleaned up our DNS".
>
> > typically web analytics. While I can see aesthetic reasons to get rid
> > of expired one-off tokens, I don't see the point of putting an
> > expiration time in them, nor any particular harm in leaving them there
> > if they are at _name and not the main host name.
>
> You might be missing operational experience in working in larger
> companies. For example, when I started current $dayjob, I found 7
> records and 4 of these could not be traced as to who needed them or
> whether they were still needed or not. Some "digging" around showed
> us cases where large companies had 20+ entries in their APEX related
> to these. So yes, cleanup is very imporant and one of the main
> reasons for this BCP - to faciliate cleanup of records by getting
> them issued in a better self-documenting syntax.
>
> Yes, using/recommending prefixes helps us, which is why we recommend
> them. But having an expiry is also obviously useful for cleanup.
>
> >From a security point of view, it is also good to know that a certain
> record has no more value so your audit reports can state no access
> of some kind was given via some DNS record 10 years ago and might be
> still in place but we dont know if the vendor still honours the record
> of whether it is expired and just junk.
>
> > something about TTLs, e.g., not to have a 12 hour TTL for a token you
> > plan to remove in a few minutes.
>
> We could say something about TTL, but here I really don't see much
> point. Having 1 TXT record in some recursive cache for 12 hours? Meh.
>
>
> > There are some other minor points. You say to generate 128 random
> > bits, but then to hash them to 256 which I don't understand. (As RFC
> > 4086 sec 6.2 notes, strong random bits often are already hash output.)
> > If 128 bits is enough, use 128 bits, if you need 256, generate 256.
> > Either way I'd do base32 rather than base64 encoding to make the
> > result more robust against helpful software that does you a favor by
> > case folding.
>
> We will look and clarify this section.
>

I created
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/44
to clarify this.

>
>
> > Overall, I'd lay out the options, and point out the advantages or
> > disadvantages of each rather than just saying "do this" without a
> > strong basis not to do it the other ways that work fine in practice.
>
> I disagree about there being a lack of "strong basis". This is actually
> driven by people's operational (bad) experience at various
> organizations. Giving people CNAME rope to hang themselves or unwieldly
> long random prefixes seem to be bad ideas that should not be recommended
> nor "explained but not recommended" either.
>
> Paul
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email