On Sat, 17 Feb 2024, Shumon Huque wrote:
Should the IANA registry be involved for the `wildcard`, `host`, and
`domain` scope values that are mentioned
in the draft?
Are you referring to the 'Underscore and Globally Scoped DNS Node Names
registry' located here?
https://www.iana.org/assignments/dns-parameters/dns-parameters.xml#underscored-globally-scoped-dns-node-names
I think so, as there is no other IANA registry related to this I can think of ?
The wildcard/host/domain scopes proposed in the domain verification draft are
substrings of an application specific label,
and thus are not node names by themselves. Hence I don't think they could be
added directly.
For your specific use case, if you are asking if we need to add the 3 nodes
"_acme-{host,wildcard,domain}-challenge" to
the registry, I think that is a reasonable suggestion, since "_acme-challenge"
presently exists, and may ultimately be
superseded by your updated acme dns challenge draft.
Note that there have previously been vigorous debates on the topic of more
generally adding new application specific
labels into that registry, and there doesn't seem to be a consensus for that at
the moment.
I'm sure other folks will chime in with their views. But I want to ping Paul
Wouters specifically - since you are one of
the expert reviewers for this registry and an author of domain-verification,
could you express your opinion on the
specific request related to ACME (a pre-existing entry in that registry) and
its new scoped challenge specific labels.
That registry is really weak. first come first serve. In theory, I
wouldn't technically be able to stop someone else from registering
_acme-elvis-my-way-challenge.
The main goal of the registry is to avoid people inadvertently using the
same name. As such, I might push back a little on very generic names,
but things which clearly carve a namespace for general use like _acme,
are fine.
Now speaking as author, not as the underscore registry expert:
I'm not sure you would want the host/wildcard/domain difference in the
QNAME though, because that might end up needing 3 DNS queries to find
out. It would be best if things could come in with 1 DNS query. Make
the variable part live in the RRdata, not the QNAME.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
