[cabf_validation] Use of underscore in DNS auth
J.C. Jones
jjones at mozilla.com
Thu Nov 17 11:11:44 MST 2016
Oh, you're right of course, Peter. the _ prefix label wasn't a requirement.
My apologies.
Let me correct that message:
The following *are* permitted record names to put the Random Value for
usr.bin.coffee:
- usr.bin.coffee
- _myca.usr.bin.coffee
- _super-validation.usr.bin.coffee
- _acme-challenge.usr.bin.coffee
- _meta.usr.bin.coffee
- _z.usr.bin.coffee
The following *aren*'t permitted record names to put the Random Value for
usr.bin.coffee:
- bin.coffee
- usr.local.bin.coffee
- validation.usr.bin.coffee
- _usr.bin.coffee
- _validationusr.bin.coffee
- validation_usr.bin.coffee
On Thu, Nov 17, 2016 at 11:01 AM, Peter Bowen via Validation <
validation at cabforum.org> wrote:
> There are a number of options allowed by Ballot 169. If you want to
> validate control of “beta.shop.example.com”, you can check rrdata
> (“value”) of the following records to confirm the presence of the random
> value:
>
> beta.shop.example.com IN TXT
> shop.example.com IN TXT
> example.com IN TXT
> _foo.beta.shop.example.com IN TXT
> _quux-my-world.shop.example.com <http://quux.shop.example.com> IN TXT
> _bar---33.example.com <http://bar.example.com> IN TXT
>
> You can replace “foo”, “quux-my-world”, and “bar—33” with any other
> combination of letters, numbers, and “-“ ([a-z0-9-]+ in regex notation).
>
> You can replace TXT with CAA.
>
> Jeremy has proposed also allowing you to replace TXT with CNAME.
>
> Does that help?
>
> Thanks,
> Peter
>
>
> On Nov 17, 2016, at 9:54 AM, Doug Beattie via Validation <
> validation at cabforum.org> wrote:
>
> I thought that the DNS record content just needed to begin with _ and
> there were no other requirements, now I’m confused.
>
> Isn’t the DNS record located at an Authorization Domain Name (
> foo.example.com or example.com) and the record (TXT or CAA) needs to
> begin with “_” and it needs to contain a Random Value. In other words,
> doesn’t the “_” requirement apply to the value not the location?
>
> Doug
>
> *From:* Validation [mailto:validation-bounces at cabforum.org
> <validation-bounces at cabforum.org>] *On Behalf Of *Rick Andrews via
> Validation
> *Sent:* Thursday, November 17, 2016 12:39 PM
> *To:* 'validation' <validation at cabforum.org>
> *Cc:* Rick Andrews <Rick_Andrews at symantec.com>
> *Subject:* [cabf_validation] Use of underscore in DNS auth
>
>
> On today’s VWG call, Peter mentioned the language about underscore in DNS
> auth. Here’s the section:
>
> 3.2.2.4.7 DNS Change
>
> Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Random Value
>
> or Request Token in a DNS TXT or CAA record for an Authorization Domain
> Name or an Authorization
>
> Domain Name that is prefixed with a label that begins with an underscore
> character.
>
> Upon re-reading this, I see that I did not interpret it properly; it
> seems to exclude using DNS records for _foo.example.com if I’m trying to
> validate foo.example.com. So I can use _validation.foo.example.com or _
> validation.example.com. Anyone disagree?
>
> -Rick
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/388a63a9/attachment.html>
More information about the Validation
mailing list