Hello all,
This may be off-topic, but saw this mail about "domain validation"
appear in my mailbox.
It seems that the specification wants to specify a standardized way to
verify domains when needing some authority (e.g. during certificate
requests or activating a mail service for you domain at a mail
provider). I think it is indeed nice to have some standard that can be
followed, instead of everybody making their own mechanism.
However, in all cases of DNS validation, it is assumed that the zone is
authoritive. Mostly, this is the case, because the NS servers point to
the DNS server where the zone is located, but even then there could be
problems. One problem is Zone Hijacking:
https://community.cloudflare.com/t/add-extra-dns-check-on-cloudflare-zone-creation-to-prevent-hijacking/686853.
As DNS Operator, I use "ns1.exampledns.com" and
"<validationCode>.ns2.exampledns.com" NS records that a user should put
in the nameserver fields at the registrar; after validation, the
validation code can be removed. Cloudflare uses a different method by
using a somewhat unique pair of nameservers. Other DNS operators may
have other validation methods to verify that the zone creator is also
the domain owner, or don't have any validation at all.
Honestly, I don't think that doing validation with nameservers is THE
way to do it. As I mentioned in 2023 on Twitter/X
(https://x.com/ben221199/status/1717122678463578307), I'm interested in
writing a RFC that defines a new method for validation of domain owners
for DNS operators (including the EPP extension), because that is
actually the last unsafe part in the validation chain. Because I got
triggered by the subject of the mail below, I decided to write this
mail. I want to know if my RFC idea is in scope with the draft that is
written by your working group. If it isn't, I will start my own draft of
course. Else, I'm happy to contribute to this existing draft.
Thanks in advance
Ben
Paul Hoffman schreef op 2025-01-13 15:12:
On Jan 13, 2025, at 06:55, Shumon Huque <shu...@gmail.com> wrote:
Thanks for your comments.
At the last DNSOP meeting in Dublin, I already made some remarks at
the mic that the draft is in need of some cleanup and reorganization.
A lot of the content has grown by accretion in response to various
feedback and it is probably indeed time to do a cleanup pass.
The authors had already planned to meet later this month on this
topic. They are now also considering your specific suggestions, and
will pull you into some of those conversations.
Thanks, I'm happy to help on that. I would still like some best
practices published before the next onslaught of "let's use the DNS for
$thing but we'll blame the DNS if we do it wrong".
--Paul Hoffman
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
