[cabf_validation] Use of underscore in DNS auth

Doug Beattie doug.beattie at globalsign.com
Thu Nov 17 10:54:36 MST 2016


I thought that the DNS record content just needed to begin with _ and there were no other requirements, now I'm confused.

Isn't the DNS record located at an Authorization Domain Name (foo.example.com or example.com) and the record (TXT or CAA) needs to begin with "_" and it needs to contain a Random Value.  In other words, doesn't the "_" requirement apply to the value not the location?

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Rick Andrews via Validation
Sent: Thursday, November 17, 2016 12:39 PM
To: 'validation' <validation at cabforum.org>
Cc: Rick Andrews <Rick_Andrews at symantec.com>
Subject: [cabf_validation] Use of underscore in DNS auth


On today's VWG call, Peter mentioned the language about underscore in DNS auth. Here's the section:

3.2.2.4.7 DNS Change

Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value

or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization

Domain Name that is prefixed with a label that begins with an underscore character.

Upon re-reading this, I see that I did not interpret it properly; it seems to exclude using DNS records for _foo.example.com if I'm trying to validate foo.example.com. So I can use _validation.foo.example.com or _validation.example.com. Anyone disagree?

-Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/13983232/attachment-0001.html>


More information about the Validation mailing list