Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt

Shumon Huque <> Tue, 15 June 2021 16:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 996413A2929 for <>; Tue, 15 Jun 2021 09:38:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tc4xIpKQ7G7z for <>; Tue, 15 Jun 2021 09:38:03 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD8C53A2916 for <>; Tue, 15 Jun 2021 09:38:02 -0700 (PDT)
Received: by with SMTP id g18so50019314edq.8 for <>; Tue, 15 Jun 2021 09:38:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aMyzFQxy1nm4ww1PsCBISQZeXx8KeZorMINuwrQvI3E=; b=hMqfNxBSk6xaHJ85DVwyNd9HB3+Z/eFLJkG/ZCsKleuVsRMoG/KqDsalpqI0yOzhde sWMLKu5q63trSpaGNKOqqn0Bo3ZvTE9dmAu80pJdtzEGHSIHbSrSH43oAPKIentRVcjr +7yqEH2VHAAk5H84y3O2wlX+sz1RuLAJaKmuREtXtfGfvnDGpUUnOl+U5z+1chWVhiqS MVtG27CFq4h3foOEAKxKPfqJEHsvqaC5uShkISU6ouuIB8bwGDNsbShciu9FLL31PjGP cUee0+zwM6MSQnJMP/EjmgpGG5ARvsqi3Kmf3KMsE1X7DdaIqbSDA6RXUVBWxi0p5lSl uK2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aMyzFQxy1nm4ww1PsCBISQZeXx8KeZorMINuwrQvI3E=; b=rjXTtrS1woLH8vVHofWzHUSWxGakOYv+gwTFJcSHJNjMrm3Jj27f6lDDye3N7BWxvS X+fBeybFlVwpCebYObqIuiBfN26wP7MAgKTlYtE7SssGnrHxbwKBy+iOrg0DJBh6+VkV 6cfjYmWSoszKPiQAQbC1mz7iiZzSROEvrEuhw8F4tVcc0E4T08Alx5/+ySIEHlGyzISG nZMLLetGH4E3ivjIARjJepq9L7tn9L8cyS3UNIlmCJ5jr0V21GClLb4lDjwA1gm8EZ8B XeWDmtO5RAP7I7XJ+hVu3zMTvTGJri277SzWP8VB0MFB5rS+Wwv7E8iNtjGEmR1wzCTg 8mYQ==
X-Gm-Message-State: AOAM530TiZkd+2ZDL9ZvNmtq4r5DBt4wOMpXSkGgp1CXaZQBLl38MneP ZDlXKbyVr70Oyq+VYWHlf1Y7/agZLMl/lwj5mQY=
X-Google-Smtp-Source: ABdhPJxfSid5Z5q9L9tE9p6TKwFT2I9RbL/3xEZztyJmnizAn1RO/AWnz+uPHhw8qo6aZzNpKtdKUIsb+o26KxCFZv4=
X-Received: by 2002:a05:6402:51d1:: with SMTP id r17mr395322edd.91.1623775076197; Tue, 15 Jun 2021 09:37:56 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Shumon Huque <>
Date: Tue, 15 Jun 2021 12:37:45 -0400
Message-ID: <>
To: Shivan Kaul Sahib <>
Cc: Stephane Bortzmeyer <>, " WG" <>
Content-Type: multipart/alternative; boundary="0000000000009ca98405c4d098a5"
Archived-At: <>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Jun 2021 16:38:05 -0000

On Tue, Jun 15, 2021 at 12:28 PM Shivan Kaul Sahib <> wrote:

> Hi Stephane!
>> Section 4.1: you do not mention a recommended name for the
>> subdomain. Should we suggest a name starting with an underscore, to
>> limit the risk of collisions and to emphasize it is not a host name?
>> (On the other hand, some users may have a limited DNS provisioning
>> interface, which enforces a LDH restriction.)
> This draft is intended to be a survey of existing techniques and broad
> recommendations that can be derived from the survey (hence we only discuss
> the value of targeted domain verification). Our thought was that we should
> leave concrete best practices for a later draft.

Shivan: a survey is the initial goal. But my thinking was: assuming there
is interest in the draft first (which there appears to be), we could work
on recommendations in a later iteration of this draft (and not a new one,
although I could be persuaded).

Yes, Stephane, we were envisioning recommending an underscore label. Of
course, that leads to how to avoid collisions in that space, and whether we
need to establish a registry of application service names.

Section 5: should we also add that, specially if the zone is not
>> signed, multi-vantage-point checking is recommended (Let's Encrypt
>> already does it)?
> Interesting, I raised an issue here:

Yeah, that's a good idea.