Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt

Shumon Huque <shuque@gmail.com> Tue, 15 June 2021 16:38 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 996413A2929 for <dnsop@ietfa.amsl.com>; Tue, 15 Jun 2021 09:38:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tc4xIpKQ7G7z for <dnsop@ietfa.amsl.com>; Tue, 15 Jun 2021 09:38:03 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8C53A2916 for <dnsop@ietf.org>; Tue, 15 Jun 2021 09:38:02 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id g18so50019314edq.8 for <dnsop@ietf.org>; Tue, 15 Jun 2021 09:38:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aMyzFQxy1nm4ww1PsCBISQZeXx8KeZorMINuwrQvI3E=; b=hMqfNxBSk6xaHJ85DVwyNd9HB3+Z/eFLJkG/ZCsKleuVsRMoG/KqDsalpqI0yOzhde sWMLKu5q63trSpaGNKOqqn0Bo3ZvTE9dmAu80pJdtzEGHSIHbSrSH43oAPKIentRVcjr +7yqEH2VHAAk5H84y3O2wlX+sz1RuLAJaKmuREtXtfGfvnDGpUUnOl+U5z+1chWVhiqS MVtG27CFq4h3foOEAKxKPfqJEHsvqaC5uShkISU6ouuIB8bwGDNsbShciu9FLL31PjGP cUee0+zwM6MSQnJMP/EjmgpGG5ARvsqi3Kmf3KMsE1X7DdaIqbSDA6RXUVBWxi0p5lSl uK2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aMyzFQxy1nm4ww1PsCBISQZeXx8KeZorMINuwrQvI3E=; b=rjXTtrS1woLH8vVHofWzHUSWxGakOYv+gwTFJcSHJNjMrm3Jj27f6lDDye3N7BWxvS X+fBeybFlVwpCebYObqIuiBfN26wP7MAgKTlYtE7SssGnrHxbwKBy+iOrg0DJBh6+VkV 6cfjYmWSoszKPiQAQbC1mz7iiZzSROEvrEuhw8F4tVcc0E4T08Alx5/+ySIEHlGyzISG nZMLLetGH4E3ivjIARjJepq9L7tn9L8cyS3UNIlmCJ5jr0V21GClLb4lDjwA1gm8EZ8B XeWDmtO5RAP7I7XJ+hVu3zMTvTGJri277SzWP8VB0MFB5rS+Wwv7E8iNtjGEmR1wzCTg 8mYQ==
X-Gm-Message-State: AOAM530TiZkd+2ZDL9ZvNmtq4r5DBt4wOMpXSkGgp1CXaZQBLl38MneP ZDlXKbyVr70Oyq+VYWHlf1Y7/agZLMl/lwj5mQY=
X-Google-Smtp-Source: ABdhPJxfSid5Z5q9L9tE9p6TKwFT2I9RbL/3xEZztyJmnizAn1RO/AWnz+uPHhw8qo6aZzNpKtdKUIsb+o26KxCFZv4=
X-Received: by 2002:a05:6402:51d1:: with SMTP id r17mr395322edd.91.1623775076197; Tue, 15 Jun 2021 09:37:56 -0700 (PDT)
MIME-Version: 1.0
References: <162334242319.22850.4241161345806462552@ietfa.amsl.com> <CAG3f7Mi92moegB2656HUdgQQ_i8bKw6KH0JcsBVHP+hEc22Quw@mail.gmail.com> <20210613162559.GB14433@sources.org> <CAG3f7MiFv1P=0ncCyN2=jV18KUhEo4bo20O=atjMROLchGVFuw@mail.gmail.com>
In-Reply-To: <CAG3f7MiFv1P=0ncCyN2=jV18KUhEo4bo20O=atjMROLchGVFuw@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 15 Jun 2021 12:37:45 -0400
Message-ID: <CAHPuVdUo-eBpjw7xRtbq=PcY=9oBugL6oAuijb2=0FKSNrxYkQ@mail.gmail.com>
To: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009ca98405c4d098a5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rgjecHnWQjpubkyR1nzpL3t9qUM>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-sahib-domain-verification-techniques-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 16:38:05 -0000

On Tue, Jun 15, 2021 at 12:28 PM Shivan Kaul Sahib <
shivankaulsahib@gmail.com> wrote:

> Hi Stephane!
>
>>
>> Section 4.1: you do not mention a recommended name for the
>> subdomain. Should we suggest a name starting with an underscore, to
>> limit the risk of collisions and to emphasize it is not a host name?
>> (On the other hand, some users may have a limited DNS provisioning
>> interface, which enforces a LDH restriction.)
>>
>
> This draft is intended to be a survey of existing techniques and broad
> recommendations that can be derived from the survey (hence we only discuss
> the value of targeted domain verification). Our thought was that we should
> leave concrete best practices for a later draft.
>

Shivan: a survey is the initial goal. But my thinking was: assuming there
is interest in the draft first (which there appears to be), we could work
on recommendations in a later iteration of this draft (and not a new one,
although I could be persuaded).

Yes, Stephane, we were envisioning recommending an underscore label. Of
course, that leads to how to avoid collisions in that space, and whether we
need to establish a registry of application service names.

Section 5: should we also add that, specially if the zone is not
>> signed, multi-vantage-point checking is recommended (Let's Encrypt
>> already does it)?
>>
>
> Interesting, I raised an issue here:
> https://github.com/ShivanKaul/draft-sahib-domain-verification-techniques/issues/18
>

Yeah, that's a good idea.

Shumon