[cabf_validation] Use of underscore in DNS auth

J.C. Jones jjones at mozilla.com
Thu Nov 17 11:06:51 MST 2016


As an example, if you want to validate control of usr.bin.coffee, your
validation procedure could look for the Random Value at one of these record
names:

   - _myca.usr.bin.coffee
   - _super-validation.usr.bin.coffee
   - _acme-challenge.usr.bin.coffee
   - _meta.usr.bin.coffee
   - _z.usr.bin.coffee

The record text you look for would need to somehow include a Random Value.
So the whole record could be:

   _acme-challenge.usr.bin.coffee. 300 IN TXT "gfj9Xq...Rg85nM"

The following *aren't* permitted record names to put the Random Value for
usr.bin.coffee:

   - bin.coffee
   - usr.bin.coffee
   - usr.local.bin.coffee
   - validation.usr.bin.coffee
   - _usr.bin.coffee
   - _validationusr.bin.coffee
   - validation_usr.bin.coffee



On Thu, Nov 17, 2016 at 10:54 AM, Doug Beattie via Validation <
validation at cabforum.org> wrote:

> I thought that the DNS record content just needed to begin with _ and
> there were no other requirements, now I’m confused.
>
>
>
> Isn’t the DNS record located at an Authorization Domain Name (
> foo.example.com or example.com) and the record (TXT or CAA) needs to
> begin with “_” and it needs to contain a Random Value.  In other words,
> doesn’t the “_” requirement apply to the value not the location?
>
>
>
> Doug
>
>
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf Of
> *Rick Andrews via Validation
> *Sent:* Thursday, November 17, 2016 12:39 PM
> *To:* 'validation' <validation at cabforum.org>
> *Cc:* Rick Andrews <Rick_Andrews at symantec.com>
> *Subject:* [cabf_validation] Use of underscore in DNS auth
>
>
>
> On today’s VWG call, Peter mentioned the language about underscore in DNS
> auth. Here’s the section:
>
> 3.2.2.4.7 DNS Change
>
> Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Random Value
>
> or Request Token in a DNS TXT or CAA record for an Authorization Domain
> Name or an Authorization
>
> Domain Name that is prefixed with a label that begins with an underscore
> character.
>
> Upon re-reading this, I see that I did not interpret it properly; it
> seems to exclude using DNS records for _foo.example.com if I’m trying to
> validate foo.example.com. So I can use _validation.foo.example.com or _
> validation.example.com. Anyone disagree?
>
> -Rick
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/70c458bf/attachment-0001.html>


More information about the Validation mailing list