IETF Logo Mail Archive

[DNSOP] Re: everything bagels, Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Erik Nygren <erik+ietf@nygren.org> Wed, 11 June 2025 14:05 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3207233B4593 for <dnsop@mail2.ietf.org>; Wed, 11 Jun 2025 07:05:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8wWy-ok_FY9K for <dnsop@mail2.ietf.org>; Wed, 11 Jun 2025 07:05:02 -0700 (PDT)
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 910F333B454F for <dnsop@ietf.org>; Wed, 11 Jun 2025 07:05:02 -0700 (PDT)
Received: by mail-lj1-f169.google.com with SMTP id 38308e7fff4ca-32ac52f78c1so68566151fa.3 for <dnsop@ietf.org>; Wed, 11 Jun 2025 07:05:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749650701; x=1750255501; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ll864PwcUSp1p+R2qbt5MyHybpqAT9sE8hvWUDOHW5M=; b=Is+/k64KUjkUWIWy6/b8quMxOQ6wK7zl/e99RR5KlinfGKebIt710YC/K5U88atdac 0kOcTaalVKqT3UTyWPQsLLLUJsphBdQcBoIfP+KvdlW+j45cCSBfDW3iYdV8oZluvYYN 8lLfjVpNdQuDsF3F7R0hFNSW0fh1lmoGFDbbgbV7wxJfUWwrdYOFwoUVy8/NuxAOEB9M 8etkGj5njo1h2SrbsT8aElfmSkikH0X6xEwwiwQcOIsoaZ9+FIiEzRVYHY5NWuZTiBn6 XCu6F8rTMHSRzoqJuOBEKy4jJgoQaFM8woC+MQ4ShUfzVpGt0vTssSgv0M5yia9NcMv8 ygGA==
X-Forwarded-Encrypted: i=1; AJvYcCWCPWO+BsOP/rV192vg6ObbZrktlu561BkYLnuor2jUCLcEKO5WgpNsq2Io3jLW+Bk6mJ3DQA==@ietf.org
X-Gm-Message-State: AOJu0YzGo3vcdLp/bjGAEvOkfyiSgM7S+CP51YUdbJ88OTrdyt6BWaCp BmVnyfpm8pqB/jpFzPiGTYhhKcfB8vZBXIOEgQ6fWLCo3gJffi4UUNXuKPVBkwN2j9+SWGVK356 nCBjNh6LwsAO66jbUt7UkFWUIHGne78tyhlXN
X-Gm-Gg: ASbGncu4Sk2xwVf4xmnSxiDTa2QPuqppO0BRTsxEfGTYWi4OKpTSp8haTv6cSPwvjOY JRZW0zr5tyYb4z2Pknb9ReZtEtH6NhuZydcEmTsTv5Y8ULByxLBAtrnXFSnVhOBjqClSnH5FHEA da5fCTN5k90PgeGlux6ImH6P4XWewDYGMJVfYirF5IYnnLVyXVoAV6ke9SLsqh/SoRvGbcpjvXq GqNGyt82vTrBMY=
X-Google-Smtp-Source: AGHT+IFLglV0UswL0/CzMv3eu8dxikOxHgb4PEIi3w4Lw/U80kfkYkyLTt170hpY71uO80QAqFhpEFjLO4ljDlx46Dc=
X-Received: by 2002:a05:651c:1504:b0:32a:80bc:1754 with SMTP id 38308e7fff4ca-32b222e2b36mr9054301fa.17.1749650699409; Wed, 11 Jun 2025 07:04:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJhS4_1P5Bqu-0YWWr9jkxBOt40rx5804UAUp7DhAsc31g@mail.gmail.com> <40408285-974A-4790-B653-DF4C3798F1E0@nohats.ca> <F7E48A3F-DA2C-4E54-92DA-90CD0EDE78DA@icann.org> <478e1879-93d4-4b0b-a99f-bbdb422bc073@taugh.com> <CAKC-DJh4ck_okAmdssMTfj5iq9X2o_-_Z6MzLQRSfZyjUJ3t6g@mail.gmail.com> <fcb3b846-7d2a-c567-2566-ba1614df31fa@taugh.com> <DM6PR15MB2361CDD15CABAEDA7CE91E45B36BA@DM6PR15MB2361.namprd15.prod.outlook.com> <20250611102817.03EB3CDD0556@ary.local> <DM6PR15MB2361608443254836F7ABD854B375A@DM6PR15MB2361.namprd15.prod.outlook.com>
In-Reply-To: <DM6PR15MB2361608443254836F7ABD854B375A@DM6PR15MB2361.namprd15.prod.outlook.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Wed, 11 Jun 2025 10:04:47 -0400
X-Gm-Features: AX0GCFvp2gXo563O_FImszo4sKLRh8EQiuerlDUjxb24DUbkzutKZzW37-PmeEw
Message-ID: <CAKC-DJjX3EN3AcLOM5MZMcF-zvjqSNSouVhPkoszs9JjWjd1nA@mail.gmail.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b5e3b06374c4c33"
Message-ID-Hash: 6C2UKZU2VJLUT2JGSOC6I4HZAOL7YVRR
X-Message-ID-Hash: 6C2UKZU2VJLUT2JGSOC6I4HZAOL7YVRR
X-MailFrom: nygren@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: everything bagels, Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yqCWoRUrG8cRU6HrDHH8uze6jmA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

There are two cases here:

1) Accidental retention of zone contents (this seems unlikely, but worth
mentioning)
2) Malicious reintroduction of zone contents (this is the concern we need
to make sure is well-addressed, and is one of the reasons it is critical
that validations are tied to users/accounts).

The latter case is a bit of a contortion as well (the new owner could
request a new validation) but there are some potential sharp edges that an
attacker might be able to take advantage of depending on the details of the
application.

     Erik



On Wed, Jun 11, 2025 at 9:59 AM Ben Schwartz <bemasc=
40meta.com@dmarc.ietf.org> wrote:

> I agree: transferring records blindly from a previous owner of a domain
> would be bizarre.  However, the draft currently says:
>
> > Subsequent validation actions using an already disclosed token are no
> guarantee that the original owner is still in control of the domain
>
> (
> https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-07.html#section-4.3-2
> )
>
> This sentence is only true if the old record could have persisted after a
> change in ownership.  Evidently, the idea that records are not preserved
> across ownership transfers is not obvious to everyone.  That's why I think
> we need to make it explicit.
>
> --Ben
> ------------------------------
> *From:* John Levine <johnl@taugh.com>
> *Sent:* Wednesday, June 11, 2025 6:28 AM
> *To:* dnsop@ietf.org <dnsop@ietf.org>
> *Cc:* Ben Schwartz <bemasc@meta.com>
> *Subject:* Re: everything bagels, Persistence of DCV, including for
> Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
>
>
>
> It appears that Ben Schwartz  <bemasc@meta.com> said:
> >-=-=-=-=-=-
> >
> >I think this PR is a fine direction, but it still seems to contain a
> certain amount of internal confusion.  If the security "relies on the
> >causal relationship", then how can it be secure for persistent
> validation?  What is the value of knowing that "either the DNS
> >Administrator of the domain has not chosen to remove the Validation
> Record or that a new owner of the domain has re-introduced the
> >Validation Record"?
> >
> >In my view, the core problem is that the draft is dancing around an
> unstated but essential requirement, for all DNS zones on the internet:
> >
> >0. We define Validation-Controlling Entries (VCEs) as any records or
> delegations at underscore-prefixed or wildcard names.
> >1. Zone owners MUST NOT allow other parties to add or modify a VCE unless
> the owner name's next label is uniquely assigned to that party.
> >2. Zone owners MUST NOT add a VCE without understanding and approving its
> function.
> >3. When acquiring a zone, the new owner MUST promptly remove all VCEs
> whose function is not understood and approved.
>
> I don't think any of this is wrong per se, but I also think it is vast
> overkill, the threats are
> largely if not entirely hypothetical, and this will add a lot of
> complication that distracts from the
> goal of this draft, to provide a consistent form for these records so you
> can tell where they're from
> and if they're likely still to be useful.
>
> For example:
>
> >3. When acquiring a zone, the new owner MUST promptly remove all VCEs
> whose function is not understood and approved.
>
> I dunno about you, but when I have bought or sold domain names, the
> transfer has never ever included a
> copy of the existing DNS zone.  The new owner has new nameservers and sets
> up all new DNS.  One time I
> persuaded a buyer to keep my MX for a while to help move mail users but
> that was a one-off and
> totally manual.
>
> While I believe that one might in theory do an on-path attack to do fake
> DCVs, unless someone can show
> some real examples I would not confuse people by talking about it.  It's
> no different from faking any
> other DNS record.
>
> R's,
> John
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status