[cabf_validation] Use of underscore in DNS auth

Peter Bowen pzb at amzn.com
Thu Nov 17 12:51:47 MST 2016 

Doug,

The underscore is part of the validation rule:

Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.

The CA is allowed to use either of:
- an Authorization Domain Name or
- an Authorization Domain Name that is prefixed with a label that begins with an underscore character

An Authorization Domain Name will never have _, but the prefixed option will.

Thanks,
Peter



> On Nov 17, 2016, at 11:26 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> 
> Peter,
>  
> I don’t think you’re allowed to add anything to the FQDN – doesn’t the DNS location need to be an Authorization Domain Name?  If that’s the case, then you’d never see a “_” entry.  I’m probably missing some DNS tidbit, please educate me…
>  
> The following are permitted record names to put the Random Value for usr.bin.coffee:
> • usr.bin.coffee
> • bin.coffee
> Nothing else is an Authorization Domain Name
>  
> Doug
>   <>
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Peter Bowen via Validation
> Sent: Thursday, November 17, 2016 1:55 PM
> To: CA/Browser Forum Validation WG List <validation at cabforum.org <mailto:validation at cabforum.org>>
> Cc: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>>
> Subject: Re: [cabf_validation] Use of underscore in DNS auth
>  
>  
> bin.coffee
>  
> That is acceptable.  
>  
> _usr.bin.coffee
>  
> So is this because it is _<something>.bin.coffee.  _super-validation.bin.coffee is also acceptable.
>  
> On Nov 17, 2016, at 10:11 AM, J.C. Jones via Validation <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
>  
> Oh, you're right of course, Peter. the _ prefix label wasn't a requirement. My apologies.
> 
> Let me correct that message:
> 
> The following are permitted record names to put the Random Value for usr.bin.coffee:
> 
> usr.bin.coffee
> _myca.usr.bin.coffee
> _super-validation.usr.bin.coffee
> _acme-challenge.usr.bin.coffee
> _meta.usr.bin.coffee
> _z.usr.bin.coffee
> 
> The following aren't permitted record names to put the Random Value for usr.bin.coffee:
> 
> usr.local.bin.coffee
> validation.usr.bin.coffee
> _usr.bin.coffee
> _validationusr.bin.coffee
> validation_usr.bin.coffee
>  
> On Thu, Nov 17, 2016 at 11:01 AM, Peter Bowen via Validation <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
> There are a number of options allowed by Ballot 169.  If you want to validate control of “beta.shop.example.com <http://beta.shop.example.com/>”, you can check rrdata (“value”) of the following records to confirm the presence of the random value:
>  
> beta.shop.example.com <http://beta.shop.example.com/> IN TXT
> shop.example.com <http://shop.example.com/> IN TXT
> example.com <http://example.com/> IN TXT
> _foo.beta.shop.example.com <http://foo.beta.shop.example.com/> IN TXT
> _quux-my-world.shop.example.com <http://quux.shop.example.com/> IN TXT
> _bar---33.example.com <http://bar.example.com/> IN TXT
>  
> You can replace “foo”, “quux-my-world”, and “bar—33” with any other combination of letters, numbers, and “-“ ([a-z0-9-]+ in regex notation).
>  
> You can replace TXT with CAA.
>  
> Jeremy has proposed also allowing you to replace TXT with CNAME.
>  
> Does that help?
>  
> Thanks,
> Peter
>  
>  
> On Nov 17, 2016, at 9:54 AM, Doug Beattie via Validation <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
>  
> I thought that the DNS record content just needed to begin with _ and there were no other requirements, now I’m confused.
>  
> Isn’t the DNS record located at an Authorization Domain Name (foo.example.com <http://foo.example.com/> or example.com <http://example.com/>) and the record (TXT or CAA) needs to begin with “_” and it needs to contain a Random Value.  In other words, doesn’t the “_” requirement apply to the value not the location?
>  
> Doug
>   <>
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Rick Andrews via Validation
> Sent: Thursday, November 17, 2016 12:39 PM
> To: 'validation' <validation at cabforum.org <mailto:validation at cabforum.org>>
> Cc: Rick Andrews <Rick_Andrews at symantec.com <mailto:Rick_Andrews at symantec.com>>
> Subject: [cabf_validation] Use of underscore in DNS auth
>  
> On today’s VWG call, Peter mentioned the language about underscore in DNS auth. Here’s the section:
> 3.2.2.4.7 DNS Change
> Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value
> or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization
> Domain Name that is prefixed with a label that begins with an underscore character.
> Upon re-reading this, I see that I did not interpret it properly; it seems to exclude using DNS records for _foo.example.com <http://foo.example.com/> if I’m trying to validate foo.example.com <http://foo.example.com/>. So I can use _validation.foo.example.com <http://validation.foo.example.com/> or _validation.example.com <http://validation.example.com/>. Anyone disagree?
> -Rick
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://cabforum.org/mailman/listinfo/validation>
>  
> 
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://cabforum.org/mailman/listinfo/validation>
>  
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://cabforum.org/mailman/listinfo/validation>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/61343b79/attachment-0001.html>

More information about the Validation mailing list