[cabf_validation] Use of underscore in DNS auth

Doug Beattie doug.beattie at globalsign.com
Thu Nov 17 12:26:35 MST 2016


Peter,

I don’t think you’re allowed to add anything to the FQDN – doesn’t the DNS location need to be an Authorization Domain Name?  If that’s the case, then you’d never see a “_” entry.  I’m probably missing some DNS tidbit, please educate me…

The following are permitted record names to put the Random Value for usr.bin.coffee:
• usr.bin.coffee
• bin.coffee
Nothing else is an Authorization Domain Name

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Peter Bowen via Validation
Sent: Thursday, November 17, 2016 1:55 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Peter Bowen <pzb at amzn.com>
Subject: Re: [cabf_validation] Use of underscore in DNS auth



  *   bin.coffee

That is acceptable.


  *   _usr.bin.coffee

So is this because it is _<something>.bin.coffee.  _super-validation.bin.coffee is also acceptable.

On Nov 17, 2016, at 10:11 AM, J.C. Jones via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:

Oh, you're right of course, Peter. the _ prefix label wasn't a requirement. My apologies.

Let me correct that message:

The following are permitted record names to put the Random Value for usr.bin.coffee:

  *   usr.bin.coffee
  *   _myca.usr.bin.coffee
  *   _super-validation.usr.bin.coffee
  *   _acme-challenge.usr.bin.coffee
  *   _meta.usr.bin.coffee
  *   _z.usr.bin.coffee

The following aren't permitted record names to put the Random Value for usr.bin.coffee:

  *   usr.local.bin.coffee
  *   validation.usr.bin.coffee
  *   _usr.bin.coffee
  *   _validationusr.bin.coffee
  *   validation_usr.bin.coffee

On Thu, Nov 17, 2016 at 11:01 AM, Peter Bowen via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:
There are a number of options allowed by Ballot 169.  If you want to validate control of “beta.shop.example.com<http://beta.shop.example.com/>”, you can check rrdata (“value”) of the following records to confirm the presence of the random value:

beta.shop.example.com<http://beta.shop.example.com/> IN TXT
shop.example.com<http://shop.example.com/> IN TXT
example.com<http://example.com/> IN TXT
_foo.beta.shop.example.com<http://foo.beta.shop.example.com/> IN TXT
_quux-my-world.shop.example.com<http://quux.shop.example.com/> IN TXT
_bar---33.example.com<http://bar.example.com/> IN TXT

You can replace “foo”, “quux-my-world”, and “bar—33” with any other combination of letters, numbers, and “-“ ([a-z0-9-]+ in regex notation).

You can replace TXT with CAA.

Jeremy has proposed also allowing you to replace TXT with CNAME.

Does that help?

Thanks,
Peter


On Nov 17, 2016, at 9:54 AM, Doug Beattie via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:

I thought that the DNS record content just needed to begin with _ and there were no other requirements, now I’m confused.

Isn’t the DNS record located at an Authorization Domain Name (foo.example.com<http://foo.example.com/> or example.com<http://example.com/>) and the record (TXT or CAA) needs to begin with “_” and it needs to contain a Random Value.  In other words, doesn’t the “_” requirement apply to the value not the location?

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Rick Andrews via Validation
Sent: Thursday, November 17, 2016 12:39 PM
To: 'validation' <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
Subject: [cabf_validation] Use of underscore in DNS auth

On today’s VWG call, Peter mentioned the language about underscore in DNS auth. Here’s the section:
3.2.2.4.7 DNS Change
Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value
or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization
Domain Name that is prefixed with a label that begins with an underscore character.
Upon re-reading this, I see that I did not interpret it properly; it seems to exclude using DNS records for _foo.example.com<http://foo.example.com/> if I’m trying to validate foo.example.com<http://foo.example.com/>. So I can use _validation.foo.example.com<http://validation.foo.example.com/> or _validation.example.com<http://validation.example.com/>. Anyone disagree?
-Rick
_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation


_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation

_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/19e607ce/attachment-0001.html>


More information about the Validation mailing list