[cabf_validation] Use of underscore in DNS auth
Doug Beattie
doug.beattie at globalsign.com
Thu Nov 17 11:51:58 MST 2016
Isn’t bin.coffee a valid record location for user.bin.coffee? It’s an Authrization Domain name.
From: J.C. Jones [mailto:jjones at mozilla.com]
Sent: Thursday, November 17, 2016 1:12 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: Re: [cabf_validation] Use of underscore in DNS auth
Oh, you're right of course, Peter. the _ prefix label wasn't a requirement. My apologies.
Let me correct that message:
The following are permitted record names to put the Random Value for usr.bin.coffee:
* usr.bin.coffee
* _myca.usr.bin.coffee
* _super-validation.usr.bin.coffee
* _acme-challenge.usr.bin.coffee
* _meta.usr.bin.coffee
* _z.usr.bin.coffee
The following aren't permitted record names to put the Random Value for usr.bin.coffee:
* bin.coffee
* usr.local.bin.coffee
* validation.usr.bin.coffee
* _usr.bin.coffee
* _validationusr.bin.coffee
* validation_usr.bin.coffee
On Thu, Nov 17, 2016 at 11:01 AM, Peter Bowen via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:
There are a number of options allowed by Ballot 169. If you want to validate control of “beta.shop.example.com<http://beta.shop.example.com>”, you can check rrdata (“value”) of the following records to confirm the presence of the random value:
beta.shop.example.com<http://beta.shop.example.com> IN TXT
shop.example.com<http://shop.example.com> IN TXT
example.com<http://example.com> IN TXT
_foo.beta.shop.example.com<http://foo.beta.shop.example.com> IN TXT
_quux-my-world.shop.example.com<http://quux.shop.example.com> IN TXT
_bar---33.example.com<http://bar.example.com> IN TXT
You can replace “foo”, “quux-my-world”, and “bar—33” with any other combination of letters, numbers, and “-“ ([a-z0-9-]+ in regex notation).
You can replace TXT with CAA.
Jeremy has proposed also allowing you to replace TXT with CNAME.
Does that help?
Thanks,
Peter
On Nov 17, 2016, at 9:54 AM, Doug Beattie via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:
I thought that the DNS record content just needed to begin with _ and there were no other requirements, now I’m confused.
Isn’t the DNS record located at an Authorization Domain Name (foo.example.com<http://foo.example.com/> or example.com<http://example.com/>) and the record (TXT or CAA) needs to begin with “_” and it needs to contain a Random Value. In other words, doesn’t the “_” requirement apply to the value not the location?
Doug
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Rick Andrews via Validation
Sent: Thursday, November 17, 2016 12:39 PM
To: 'validation' <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
Subject: [cabf_validation] Use of underscore in DNS auth
On today’s VWG call, Peter mentioned the language about underscore in DNS auth. Here’s the section:
3.2.2.4.7 DNS Change
Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value
or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization
Domain Name that is prefixed with a label that begins with an underscore character.
Upon re-reading this, I see that I did not interpret it properly; it seems to exclude using DNS records for _foo.example.com<http://foo.example.com/> if I’m trying to validate foo.example.com<http://foo.example.com/>. So I can use _validation.foo.example.com<http://validation.foo.example.com/> or _validation.example.com<http://validation.example.com/>. Anyone disagree?
-Rick
_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation
_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/072d065f/attachment-0001.html>
More information about the Validation
mailing list