Dear WG,

We've been encountering a delegation control verification use case repeatedly 
at deSEC. It was only recently that I saw the more general connection to domain 
verification and draft-ietf-dnsop-domain-verification-techniques.

Our use case is: as a DNS platform, folks delegate their domains to our 
nameservers. Sometimes, they loose access to their 2FA device, and also don't 
have recovery codes. In that case, we send them an email like the following:

----------------------------
I'm sorry to hear you lost 2FA access!

Your recovery token is: 4ob73r542sea2oiqyllii

To recover your domain(s), you need to prove control over them at the 
registration point, by adding an additional nameserver:

    <recovery-token>.dv.desec.io OR
    <recovery-token>.dv.desec.org

Once proof of control has been given for all domains in your account, we will 
disable 2FA. If you can only prove control for some domains, we will move the 
others into a dummy account for later recovery before disabling 2FA.
----------------------------

*.dv.desec.io has the same addresses as ns1.desec.io, and *.dv.desec.org has 
the same addresses as ns2.desec.org.

The recovery token is a secret shared with our user, and if it shows up in the 
delegation from the parent, we can reasonably assume that the domain owner is 
indeed our user.

Unfortunately, this process doesn't work securely with all parents. In 
particular, some require the child-side NS to match the parent's, so we have to 
change our customer's NS records before they can make the change. However, that 
exposes the secret in public. This way, after a domain ownership change, the 
new owner may be able to take over an existing deSEC account (enumerating the 
zone, or learning about token configurations such as subnet ACLs which can 
serve as further attack intel). Also another child-side change is needed for 
reverting to the previous delegation NS after verification.

I think it would be great if the document could note that our process outlined 
above is how you SHOULD do delegation control validation, and that the process 
SHOULD NOT involve publishing the validation nameserver hostname prior to using 
it for delegation.

This probably can be said in 1-2 paragraphs, perhaps as a new section 9 ("Delegation 
control validation").

Would folks be OK with such an addition to the document?

Thanks,
Peter

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to