Dear participants of the DNSOP mailing list, I would like to respond to the thread in the subject. Having joined this mailing list a few hours ago, it's difficult to reply at the correct part of the thread.
I am employed by a SAML metadata registrar and we require verification that a registrant has effective control over a fully-qualified domain name. We have developed our own DNS TXT based method for verification and are in the process for reviewing it. We would like to be able to refer to a BCP document, and appreciate your work towards one. Here are some questions and comments as feedback on https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-01. I hope they are useful. 1. In section 2, you define the APEX, although this term does not appear in the rest of the document. All the examples show how to verify the apex domain example.com. It is therefore unclear to me whether your technique can be used to verify effective control over an arbitrary fully-qualified domain name. Can the specification generalise? 2. The examples in Section 3.1 show provider-relevant prefixes which start with an underscore. Is this convention or a requirement? 3. In Section 3.1 you say "Consumers of the provider services need to relay information from a provider's website to their local DNS administrators". There are other ways to relay the information from provider to consumer, such as S/MIME, and the specification should reflect this. 4. Section 3.1 states "Providers MUST provide clear instructions on when a verifying record can be removed" and A.1.4 has "The service provider doing the verification should specify how long the verification will take". In my experience, the most variable part of the process is at the consumer end, because the person wishing to use the service is not typically the DNS admin. An expiry set solely by the provider doesn't take that variability into account. Maybe it's better for the provider to signal a period after which the verification would be assumed unsuccesful, and to provide guidance to the provider not to make this period too short. 5. My employer's method currently requires the registrant to set a TXT record on the apex domain. Thank you for providing 2 reasons in A.1.1 why we should not. Regards, Alex — Alex Stuart (he/him) Trust and Identity technical architect [email protected] Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
