On Fri, 30 May 2025, Joe Abley wrote:
I have definitely received automated email telling me that my domain is about
to be detached from a particular service because the TXT record had been
removed. Other TXT records I have been removed in the interests of hygiene had
no such effect.
I agree that consistency would be better than this state of affairs.
It seems to me that a DCV in the form we use is no worse than anything
else persistent that's going to be in the DNS. The point of the random
token is to show that the person publishing the DNS record is the one with
the account to be verified, but once it's published the cat is out of the
bag. I don't see any way to fix that other than periodically changing the
token, and if you're going to do that, you know where to find ACME.
It also seems possible that there is a need for two signals: that a
domain is authorised to onboard to a particular service, and that a
domain is authorised to continue to be linked to a service.
I would guess that the chances of the places that use DCV would use two
different signals is on the order of 0.001%. I suppose a flag like
expiry=indefinite rather thean exppiry=260123 could give DNS people a hint
of which ones are OK to delete.
R's,
John
PS: The threat model for faked long term DCV seems rather implausible.
A malicious actor is going to fool some SaaS company into continuing my
subscription so they can steal it? That's going to be hard to do once I
don't pay the bill.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
