[cabf_validation] Use of underscore in DNS auth

Peter Bowen pzb at amzn.com
Thu Nov 17 11:01:16 MST 2016


There are a number of options allowed by Ballot 169.  If you want to validate control of “beta.shop.example.com <http://beta.shop.example.com/>”, you can check rrdata (“value”) of the following records to confirm the presence of the random value:

beta.shop.example.com <http://beta.shop.example.com/> IN TXT
shop.example.com <http://shop.example.com/> IN TXT
example.com IN TXT
_foo.beta.shop.example.com <http://foo.beta.shop.example.com/> IN TXT
_quux-my-world.shop.example.com <http://quux.shop.example.com/> IN TXT
_bar---33.example.com <http://bar.example.com/> IN TXT

You can replace “foo”, “quux-my-world”, and “bar—33” with any other combination of letters, numbers, and “-“ ([a-z0-9-]+ in regex notation).

You can replace TXT with CAA.

Jeremy has proposed also allowing you to replace TXT with CNAME.

Does that help?

Thanks,
Peter


> On Nov 17, 2016, at 9:54 AM, Doug Beattie via Validation <validation at cabforum.org> wrote:
> 
> I thought that the DNS record content just needed to begin with _ and there were no other requirements, now I’m confused.
>  
> Isn’t the DNS record located at an Authorization Domain Name (foo.example.com <http://foo.example.com/> or example.com <http://example.com/>) and the record (TXT or CAA) needs to begin with “_” and it needs to contain a Random Value.  In other words, doesn’t the “_” requirement apply to the value not the location?
>  
> Doug
>   <>
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Rick Andrews via Validation
> Sent: Thursday, November 17, 2016 12:39 PM
> To: 'validation' <validation at cabforum.org <mailto:validation at cabforum.org>>
> Cc: Rick Andrews <Rick_Andrews at symantec.com <mailto:Rick_Andrews at symantec.com>>
> Subject: [cabf_validation] Use of underscore in DNS auth
>  
> On today’s VWG call, Peter mentioned the language about underscore in DNS auth. Here’s the section:
> 
> 3.2.2.4.7 DNS Change
> 
> Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value
> 
> or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization
> 
> Domain Name that is prefixed with a label that begins with an underscore character.
> 
> Upon re-reading this, I see that I did not interpret it properly; it seems to exclude using DNS records for _foo.example.com <http://foo.example.com/> if I’m trying to validate foo.example.com <http://foo.example.com/>. So I can use _validation.foo.example.com <http://validation.foo.example.com/> or _validation.example.com <http://validation.example.com/>. Anyone disagree?
> 
> -Rick
> 
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://cabforum.org/mailman/listinfo/validation>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/9c8bdffa/attachment.html>


More information about the Validation mailing list