Re: [secdir] [DNSOP] Secdir early review of draft-ietf-dnsop-domain-verification-techniques-01
Shumon Huque <shuque@gmail.com> Thu, 06 July 2023 02:59 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE10DC14CE4A; Wed, 5 Jul 2023 19:59:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mchSrNNdUYxz; Wed, 5 Jul 2023 19:59:06 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22726C14CE36; Wed, 5 Jul 2023 19:59:06 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-77acb04309dso6195139f.2; Wed, 05 Jul 2023 19:59:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688612345; x=1691204345; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XekQvvLXiU+DG+DjWYBNEpBf7NGiSlOoNyNQ/JQ9Hgk=; b=iZqsLv5fJjxJf2qvRW6cWTwxoEyCYdZgW3Ip0zACl0sVenlVSKymuGu1CDWFvW5gWC 5LHCx5WAP96ttq4RX4v3M4tyJeE0bMlWSvGa7co3LpDdyMM2UiznnmqYToP9OGuwp95I x+KhwY/pY2piNJVWoBX92C+8Ig+fnhcjpBFR12xhD0FfNAtFJHsnDG0twQyVsQ+JM8NY O/4ajYfhUvo1BHzqsZbZeXAAGs9hyI5ZriNGWJwR70yNnS7YVuzn3LJrD/TaxfEhK0CC YHEUy0MK09LG0EIdXh2DVpSDQJH3fkSfBYh6P40dl8YYqPDWV+PEz8vLODw/H4jfijJN dKyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688612345; x=1691204345; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XekQvvLXiU+DG+DjWYBNEpBf7NGiSlOoNyNQ/JQ9Hgk=; b=F8/imZ1iGMjvM0mt+Kmxz1J4XEm4PlSWf4WstDdYKnSNWwENxkBXhM3h9W5zeseDwt DkTMg0s2PtZ29HPJWyUU/OMJKWCUWQgvt6FmKDAZKVop/N4JMXuJdqxugYGfXpjrBFnc 45oonEOwItoEOFeUmeG4nJnBiNH+qUHEu5IUGawjdVhEWeY09QH+lY49jZj6wrMdEHIc d0xn4A6i9FxuWKLD5LkWEQ21J36k5IMWQdawEykTyXi/cBQjDuq8hIvq123s1zzUApGv 7mH1WQPrjBaufzH7eenFfhyS1ZQ+aKnBGda7ckE2fX0+iln8P8yqhnB14c1SYQxww3Pt tBfw==
X-Gm-Message-State: ABy/qLZxCZQmIrC2q56NgrKGX4/WfQBc578NNuP69s6kSZPr8vsEKmjH V/EbvUzwXrcyGXfkq8rr3qKRHkY5Nbqh/oWo8aI=
X-Google-Smtp-Source: APBJJlEcugj7/fd0PGhy70Slu5xQ4KI2UeU2ycV3rxEU+IKU+vuqLce83KVXX5KQJv8/hn/DSeBbPoghIoAEfpGBFMc=
X-Received: by 2002:a6b:fd17:0:b0:780:d031:bc42 with SMTP id c23-20020a6bfd17000000b00780d031bc42mr1447352ioi.16.1688612345414; Wed, 05 Jul 2023 19:59:05 -0700 (PDT)
MIME-Version: 1.0
References: <168195124881.58577.7223695021506805865@ietfa.amsl.com> <1f92d580-3097-fb03-096a-77c979e50fe5@nohats.ca>
In-Reply-To: <1f92d580-3097-fb03-096a-77c979e50fe5@nohats.ca>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 05 Jul 2023 22:58:54 -0400
Message-ID: <CAHPuVdW8bHVJaZGOaGnXcPXd-58jOkKmNj96f2tSLz6q1Ffg0w@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Benjamin Kaduk <kaduk@mit.edu>, secdir@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-domain-verification-techniques.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000030bcc05ffc8b3fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5lMkU5DSdmoixcI11s4_mTBjkMg>
Subject: Re: [secdir] [DNSOP] Secdir early review of draft-ietf-dnsop-domain-verification-techniques-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2023 02:59:10 -0000
On Thu, Apr 20, 2023 at 11:46 AM Paul Wouters <paul@nohats.ca> wrote: > > > ### CNAME chaining > > > > In §3.2 we see the text "Another issue with CNAME records is that they > must > > not point to another CNAME" provided, with no reference. But CNAME > chains are > > in heavy use on the internet in practice with no ill effect (case in > point: my > > employer's CDN business), so I'd recommend removing the discussion of > CNAME > > chaining, or supplying a reference and discussion around them that is > closer > > to the deployment reality. > Yes, my employer too! :) > Looking up the exact reference, I do find in > https://www.rfc-editor.org/rfc/rfc1034.html#section-3.6.2 > > CNAME chains should be followed > > So perhaps our advise here was a bit too strong. We already had an open > item at looking to change the language there to make it less restrictive > on CNAMEs so we will take item this into that discussion. Thanks Paul (and Ben ..), We've now addressed this in the current github draft by just removing the discussion on CNAME chains, as I don't think it is crucial to the potential pitfalls with CNAMEs used for domain control validation. We've also relaxed the recommendation against using CNAME based methods. The original rationale for that was because they can't coexist with any other records at the same name. However, there are many providers that do CNAME based validation by placing the validation record at a random subdomain of the name being validated, rather than at the actual name itself, which avoids the collision problem entirely. See an example in the appendix for Amazon ACM, although quite a number of others can be cited (Docusign, Sectigo, etc). We also account for the delegated validation model which employs a CNAME pointing to a TXT record hosted at a 3rd party. We still recommend the TXT based method, as it uses an application specific underscore prefix label (which both avoids collisions with CNAMEs and makes it easier to identify the service associated with the validation record). Shumon.
- [secdir] Secdir early review of draft-ietf-dnsop-… Benjamin Kaduk via Datatracker
- Re: [secdir] [DNSOP] Secdir early review of draft… Paul Wouters
- Re: [secdir] [DNSOP] Secdir early review of draft… Benjamin Kaduk
- Re: [secdir] [DNSOP] Secdir early review of draft… Shumon Huque
- Re: [secdir] Secdir early review of draft-ietf-dn… Shivan Kaul Sahib