IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Watson Ladd <watsonbladd@gmail.com> Tue, 13 May 2025 18:46 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CB7AD281B5DB for <dnsop@mail2.ietf.org>; Tue, 13 May 2025 11:46:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qd90yIau4gP6 for <dnsop@mail2.ietf.org>; Tue, 13 May 2025 11:46:38 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 35AF0281AE10 for <dnsop@ietf.org>; Tue, 13 May 2025 11:41:09 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-43cf680d351so954125e9.0 for <dnsop@ietf.org>; Tue, 13 May 2025 11:41:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747161668; x=1747766468; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ZS1MvDAyzwvH18X9jiJI7ZcvlbOeMWGeVk4XTYULe0U=; b=A/oBLdmebQ8pTsPMdHzkflN0mfLL41mIRD1DGF02aIIKUb14Bw53cf2wxV4dQaYz/o HO3v88bS2fekc9FPD4lOk5cUdDicbsyuQFwkZNraodTH33iWTtNz3SIR7w19DTQtssb+ +P4ZYHWm4k+NksFeOaMpyTIv/3Ot3seqxBF4iCKAHOhTZkuozm1mNBFKuQNvfOHyxxS2 6keo/bGK2mvjhygbSIgmJgZ6ojWlVL3KB+tV3fJhZ3NRjm0TX1tRbl5lfm/SGNjIK6UQ 4FwzZgF56uLWijcbEoVG/ElV6mxQ8tCZ1RXPyStqhraZYeNxb7R3kDlL04VKnSBKQTuL Byww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747161668; x=1747766468; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZS1MvDAyzwvH18X9jiJI7ZcvlbOeMWGeVk4XTYULe0U=; b=kLjVsJIXMRe8cv8nJAnfxakYd8oVbncrD/uKF/Uftg94Gbbbs85ns3jyRrTb13fvi3 wcaZih0c6JdH+RhRFytitpuGZfwQklS+0mE/czqTDHSkYDrKtyGqWdUuKPnGRsbk5iSB DJeVLsDv6aXFlnx6+IiILXqcvDeXc4i/6BkvY3He6Q6jC4ZgFHK2iALxEtAhit73qzQg p3gJ1v47zSp1nvlcMcy6LPLh6pHLyo7g++8J6g65ZM3RX56xps8bY+AKNuIXeM+4WkQw 8xUCxu3OjNJoBPWdSSjATlHcRYQy4VmoY1Yz/p+K7GIzJfkiPBCqJOmufS1d4iP0YFXY 6+pw==
X-Forwarded-Encrypted: i=1; AJvYcCWtU1hkPgQ9lhUd4r2rGfvuiHAi+/AYIIqLAn++SfSXz+n/2ZWNIN/97XYBJCG4K6AVWEFstw==@ietf.org
X-Gm-Message-State: AOJu0Yz14SJSM8aMypE0sHnILF2LfL9LimY7gijAae8MW4rpJ+FjigEg RDVhpN2oZZBh83bXhQt/slEXJovZGfaWEOPiCvCy9n0qBj6N35vQPFHsnIaFQTrUN1phI9i9rDN rBY1zf+oYrcZq8rkMl5Q/KhAO4fI=
X-Gm-Gg: ASbGnctnF/THepUtnioMTvqToErgzcXmJIeiL5YWPuNC9EL3oJ5283ngKdihsJ+qM+t y/ZuhPj1Zkh4PmR3SdLe6VrKFT+lacaUbxVA2OiXBilab4ua4T0RFyyo2qIzGyyLUm4nezc9JbK rag+J2qes1RbnWxpa39Eon6M3N5XLFHpLmXDZYGKfc8/uVdR0Z9TsoF2aieveB3GXa
X-Google-Smtp-Source: AGHT+IFc+mEwxTzESzOJI+wlSWhR8d2+K0yAXxHU+7PciSCXqCxbcon3h8BG8ci8OYa/iAn5wu7UXKyCXjsVoSs1zqs=
X-Received: by 2002:a05:6000:420b:b0:3a0:bd7a:7ba8 with SMTP id ffacd0b85a97d-3a348dbb735mr603472f8f.19.1747161668038; Tue, 13 May 2025 11:41:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJiQXWqT+kitGO_bjdwAzN8u11WrGfSpE99HGtoVbg9OHw@mail.gmail.com> <C42CC896-CA4C-4894-9A35-D5027FD48521@icann.org> <1f9237cf-fc78-3e12-f8bb-40699dc04d21@nohats.ca> <CAKC-DJhLGHmWVT8JYkSHAfm7HiT8dLmiOqN6Aqc2kN4dyXK96g@mail.gmail.com> <SA1PR15MB43706B717CABF88178152F57B397A@SA1PR15MB4370.namprd15.prod.outlook.com> <7f785910-73c9-f322-b0f1-839cd3f7cce8@nohats.ca>
In-Reply-To: <7f785910-73c9-f322-b0f1-839cd3f7cce8@nohats.ca>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 13 May 2025 11:40:56 -0700
X-Gm-Features: AX0GCFs_a34SYRH3PK7530EKux0FwwlaE326wVAjnbGmguEogsxD1CyLvttgE5A
Message-ID: <CACsn0ckhF96yf-tVFUOSiEi9hzrKoTS3wYqM2weNC3uhKmXxvw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: WKG43LS4G3DP6NEXP75SQ42OOMJWEXT3
X-Message-ID-Hash: WKG43LS4G3DP6NEXP75SQ42OOMJWEXT3
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, Erik Nygren <erik+ietf@nygren.org>, Paul Hoffman <paul.hoffman@icann.org>, dnsop WG <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zY9QDTnMGYOjQcpv16f_7GAXWnc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Mon, May 12, 2025 at 11:43 AM Paul Wouters <paul@nohats.ca> wrote:
>
> On Mon, 12 May 2025, Ben Schwartz wrote:
>
> > I believe the current draft text in the datatracker agrees with me.  For example, draft-07 Section 4.3 says
> >
> > > Some Application Service Providers currently require the Validation Record to remain in the zone indefinitely for periodic revalidation purposes. This practice
> > should be discouraged. Subsequent validation actions using an already disclosed token are no guarantee that the original owner is still in control of the domain,
> > and a new challenge needs to be issued.
>
> Yes I think this paragraph should be replaced, and we should add a
> Section that talks about DVC and periodic revalidations and their
> issues in summary, and punt lifecycles of periodic to another document.
>
> > Surely something cannot be a "best current practice" if it is also "discouraged" and one "needs" to use the other approach.  However, other portions of the draft
> > are somewhat in tension with this paragraph, hence my PR to try to clarify the draft's stance.
>
> Right.
>
> > > Talking about life cycles is useful, but I think like the lifecycle for
> > > SSL certificates, can only be feasibly done if there is an automated
> > > system like ACME to fully automate this. The question then though, is
> > > how much real "admin permission" does such a record give you if the
> > > admin really doesn't know because a certbot like script is running
> > > someplace authorizing on their behalf?
> >
> > The (unstated!) presumption of DCV is that an actor who can write a DCV record at _$foo-challenge.$domain can also overwrite any record on $domain.  This actor
> > could already do a lot of bad things, like taking websites on $domain offline, so their permission is sufficient to perform certain actions that pose risk (e.g.
> > creating a risk of DoS), as that risk is not incremental.
>
> I was talking about the reverse problem. If I "ACME" my period revalidation
> records, is it still really a revalidation? It's just a cronjob that I
> as IT admin will have forgotten about. I will forget to turn it off when
> I am ending a service.
>
> > Without this assumption (or an equivalent rule about parties authorized to update parts of the zone), DCV doesn't work at all.  Perhaps we need to make that more
> > explicit...
>
> I am not sure what this means.
>
> > > I still believe we are picking the best of _current_ practices ...
> >
> > Drawing a very hard distinction between DCV and persistent authorization is certainly a current practice, and in my view (and the view of draft-07!) it is the best
> > one.  Not all current practices are best ... even if they are indeed widely used without incident.
>
> Perhaps we are talking about different things. Do you mean to say that
> you would be okay with 1 DCV to prove control (which expires and gets
> removed) and 1 long term record without token/randomness that somehow
> points from a unique service name prefix via CNAME or RDATA to the target
> service provider's service. And is never updated to prove freshness?
>
> Or are you after monthly proofs of freshness?
>
> I think the first is reasonable, as long as you ask for both DNS records
> at once, and then tell/show that one of them can be removed after
> verification.
>
> What I don't think is reasonable, is requiring re-authorization by using
> a new token every month. It's too complex/annoying/fragily for humans,
> and if you automate it away it ceased to perform its intended purpose.

I'm not sure I follow. The point of revalidation is to determine that
the authority to control the domain has not been removed. A persistent
record doesn't show that, merely that the record remains. Even if the
grant of authority is exercised automatically, that grant still
exists. What property is gained by requiring humans to be in the loop?


>
> Paul
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org



-- 
Astra mortemque praestare gradatim

v2.46.0 | Report a Bug | By Email | System Status