On Jan 14, 2025, at 02:57, ben=40yocto....@dmarc.ietf.org wrote: > This may be off-topic, but saw this mail about "domain validation" appear in > my mailbox.
Not at all off-topic: draft-ietf-dnsop-domain-verification-techniques is a WG document. > It seems that the specification wants to specify a standardized way to verify > domains when needing some authority (e.g. during certificate requests or > activating a mail service for you domain at a mail provider). The document is meant to specify best current practices, and maybe steer readers away from not-best current practices. > I think it is indeed nice to have some standard that can be followed, instead > of everybody making their own mechanism. In my mind, it isn't (and shouldn't be) standardizing anything. This WG has long discussed the advantages and disadvantage of TXT-in-zone, new-RR-in-zone, and TXT-in-underscore-subdomain. Some people would clearly like to demand that all future services use one of those, but we don't have strong consensus on which one or on the damages of someone using the "wrong" one. > However, in all cases of DNS validation, it is assumed that the zone is > authoritive. Mostly, this is the case, because the NS servers point to the > DNS server where the zone is located, but even then there could be problems. > One problem is Zone Hijacking: > https://community.cloudflare.com/t/add-extra-dns-check-on-cloudflare-zone-creation-to-prevent-hijacking/686853. Exactly right. > As DNS Operator, I use "ns1.exampledns.com" and > "<validationCode>.ns2.exampledns.com" NS records that a user should put in > the nameserver fields at the registrar; after validation, the validation code > can be removed. Cloudflare uses a different method by using a somewhat unique > pair of nameservers. Other DNS operators may have other validation methods to > verify that the zone creator is also the domain owner, or don't have any > validation at all. > > Honestly, I don't think that doing validation with nameservers is THE way to > do it. As I mentioned in 2023 on Twitter/X > (https://x.com/ben221199/status/1717122678463578307), I'm interested in > writing a RFC that defines a new method for validation of domain owners for > DNS operators (including the EPP extension), because that is actually the > last unsafe part in the validation chain. Because I got triggered by the > subject of the mail below, I decided to write this mail. I want to know if my > RFC idea is in scope with the draft that is written by your working group. If > it isn't, I will start my own draft of course. Else, I'm happy to contribute > to this existing draft. I would hope that your idea is in scope for this discussion and maybe a separate focused document. That is, DNS operators are interesting service providers in the context of draft-ietf-dnsop-domain-verification-techniques, so that use case should at least be mentioned and maybe a best practice talked about. --Paul Hoffman _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
