Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications

Paul Wouters <> Tue, 12 April 2022 12:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0830A3A1D10 for <>; Tue, 12 Apr 2022 05:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bd_m5OIzOBwp for <>; Tue, 12 Apr 2022 05:28:11 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6689B3A1D0D for <>; Tue, 12 Apr 2022 05:28:11 -0700 (PDT)
Received: by with SMTP id g20so22124932edw.6 for <>; Tue, 12 Apr 2022 05:28:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=ytyBA7JmgTaTCBmE9sqzngRZfzByDkGgLgpSZNRVU3Q=; b=C7vYX4zQrOnVgctuvUuZcPLFQvw1hnBT3CJm6bv98RYcUfLmL6mZQtYqV3SSJWVprm ulqwOONDmvz/h83QoG4oz63n9eBtXq6NIaAdD1lpmtmycArVujPJycgBO691326Y132S q7H+8/bNsCDHeiBzgPmkklgHC+/qSODkqv+Mc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=ytyBA7JmgTaTCBmE9sqzngRZfzByDkGgLgpSZNRVU3Q=; b=hUf7mqYF+C9i7s0t0VBV0c0I2YsBhcdE2D+hgXXLHFFbpBXLkQeKMRqSc6/94Ckx0E Z1qUbM0VLl5qjwD9JjmSWjUI+BHERAJKjcdYZNGLNM7YXpmYyhrZjaVrwELgQRcpeApC uVg/J/hkVEBXl25pYy5poC2yi2IXGV5xKrje363od8CW4w/E5jFpeuAd75TymUX+5BBe k5GCQKHUzMyuswItuXCrbiZegDLm4unmAaboXasRq3NPV28083/mgt0CzOqLaGsdYqhW 6P5rDM9dHX5rMU79MJ+u7q8fGSWy2CmZUoyJUGEfq7Qnpwb1JhGm53EtIku1KkT5MAPm UccQ==
X-Gm-Message-State: AOAM53312vpp4TFVtbMXWFznrQWvNnYZKvZWeOXfRqYF4cqIU2ryeyoj 5d3B0isXCEJTTihkVUQSQThmBg==
X-Google-Smtp-Source: ABdhPJxjJzlrEDh0XH0qvLHOtyiBwqb0cmwK3+MVGx7CuT42vnbRAm/+SqhpPPooQJxUau5ksTJIvQ==
X-Received: by 2002:aa7:cd18:0:b0:41d:8df8:86e5 with SMTP id b24-20020aa7cd18000000b0041d8df886e5mr4046113edw.248.1649766489430; Tue, 12 Apr 2022 05:28:09 -0700 (PDT)
Received: from ( []) by with ESMTPSA id c5-20020a170906d18500b006ce371f09d4sm12968452ejz.57.2022. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 05:28:08 -0700 (PDT)
Date: Tue, 12 Apr 2022 08:28:06 -0400
From: Paul Wouters <>
To: Eugène Adell <>
cc: dnsop <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1858192029-1831689432-1649766488=:1240664"
Archived-At: <>
Subject: Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Apr 2022 12:28:16 -0000

On Tue, 12 Apr 2022, Eugène Adell wrote:

> Beyond the technical aspects, there are several different persons to
> think about in our case : the DNS administrator obviously, the
> decision maker buying (or not) a secured online service, and the CISO.

Why should this information exchange happen via DNS?

> It looks more simple to have dedicated RR types to let them
> communicate together

It seems a REST API using some .well-known HTTPS link seems a better
fit ?

> After your comments and correcting a typo, it gives
> Such domain name for sure doesn't exist and uses the underscore
> character as separator. It has to be considered as storing data
> establishing a kind of contract between the two organizations
> involved.

It should have a dot in between, eg
Then, the underscore name should be uniquely identifying to split it
from other DNS records. eg _crs or something. Have a look at other
documents at

> 5.
> I give some explanation in the answer 1 but I will rephrase. The CRS
> record can be used before subscribing to a service (typically any
> storage/log system/SIEM) as an indicator that this service provides
> the kind of authorization process described in the document.

I still wonder if DNS is really the right fit for this.

>   This document specifies the Client Roaming Control (CRC) DNS Resource
>   Record allowing an organization to better control the access to
>   third-party applications over Internet.  The applications
>   implementing an authorization mechanism to honor the CRC, publish on
>   their side the Client Roaming Support (CRS) Resource Record to inform
>   of this support.

There is a big overlap here with MUD, see

It also seems the source of authorization depends on the DNS name, but
how do you ensure a device would not be lying about their name? Would
this only work on zones with static DNS entries? If so, how would that

What would be the mechanism to authorize the publishing of CRS/CRC
records, and why can that provisioning protocol not also be used
to query/signal this data?