All The -09 version made one change to remove the section on "Supporting Multiple Intermediates" to address concerns.
One issue has been raised, and we felt the WG would have opinions on this as it involves DNSSEC Valdation. Under "Security Considerations", in the section "DNS Spoofing and DNSSEC Validation", the current text is not precise enough. Current: DNSSEC validation SHOULD be performed by Application Service Providers that verify Validation Records they have requested to be deployed. Suggested: DNSSEC validation MUST be performed by Application Service Providers that verify Validation Records they have requested to be deployed. A "Bogus" or "Indeterminate" result (as defined in [[RFC4033]]) MUST NOT be accepted. A "Secure" or "Insecure" result SHOULD be accepted. https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/issues/182 Thoughts? tim On Mon, Jul 7, 2025 at 3:28 PM <[email protected]> wrote: > Internet-Draft draft-ietf-dnsop-domain-verification-techniques-09.txt is > now > available. It is a work item of the Domain Name System Operations (DNSOP) > WG > of the IETF. > > Title: Domain Control Validation using DNS > Authors: Shivan Sahib > Shumon Huque > Paul Wouters > Erik Nygren > Tim Wicinski > Name: draft-ietf-dnsop-domain-verification-techniques-09.txt > Pages: 18 > Dates: 2025-07-07 > > Abstract: > > Many application services on the Internet need to verify ownership or > control of a domain in the Domain Name System (DNS). The general > term for this process is "Domain Control Validation", and can be done > using a variety of methods such as email, HTTP/HTTPS, or the DNS > itself. This document focuses only on DNS-based methods, which > typically involve the Application Service Provider requesting a DNS > record with a specific format and content to be visible in the domain > to be verified. There is wide variation in the details of these > methods today. This document provides some best practices to avoid > known problems. > > The IETF datatracker status page for this Internet-Draft is: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/ > > There is also an HTML version available at: > > https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-09.html > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-09 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
