[cabf_validation] Use of underscore in DNS auth
J.C. Jones
jjones at mozilla.com
Thu Nov 17 10:48:02 MST 2016
Rick,
Requiring something like _validation.label.domain.tld was indeed the
original intent, not _label.domain.tld. It's a little bit cleaner on the
DNS side to use a leaf whose parent is the label to be validated, IMO, but
I don't know of any security properties to require this construction.
(Sorry I missed the call this morning!)
J.C.
On Thu, Nov 17, 2016 at 10:39 AM, Rick Andrews via Validation <
validation at cabforum.org> wrote:
> On today’s VWG call, Peter mentioned the language about underscore in DNS
> auth. Here’s the section:
>
> 3.2.2.4.7 DNS Change
>
> Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Random Value
>
> or Request Token in a DNS TXT or CAA record for an Authorization Domain
> Name or an Authorization
>
> Domain Name that is prefixed with a label that begins with an underscore
> character.
>
> Upon re-reading this, I see that I did not interpret it properly; it
> seems to exclude using DNS records for _foo.example.com if I’m trying to
> validate foo.example.com. So I can use _validation.foo.example.com or _
> validation.example.com. Anyone disagree?
>
> -Rick
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/2a0ccf4f/attachment.html>
More information about the Validation
mailing list