[cabf_validation] Use of underscore in DNS auth

[Rick Andrews]

Thanks, J.C and Peter. It’s very clear to me now.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Peter Bowen via Validation
Sent: Thursday, November 17, 2016 11:52 AM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: Peter Bowen <pzb at amzn.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Use of underscore in DNS auth

 

Doug,

 

The underscore is part of the validation rule:

 

Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.

 

The CA is allowed to use either of:

- an Authorization Domain Name or

- an Authorization Domain Name that is prefixed with a label that begins with an underscore character

 

An Authorization Domain Name will never have _, but the prefixed option will.

 

Thanks,

Peter

 

 

 

On Nov 17, 2016, at 11:26 AM, Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> > wrote:

 

Peter,

 

I don’t think you’re allowed to add anything to the FQDN – doesn’t the DNS location need to be an Authorization Domain Name?  If that’s the case, then you’d never see a “_” entry.  I’m probably missing some DNS tidbit, please educate me…

 

The following are permitted record names to put the Random Value for usr.bin.coffee:

• usr.bin.coffee

• bin.coffee

Nothing else is an Authorization Domain Name

 

Doug

 

From: Validation [ <mailto:validation-bounces at cabforum.org> mailto:validation-bounces at cabforum.org] On Behalf Of Peter Bowen via Validation
Sent: Thursday, November 17, 2016 1:55 PM
To: CA/Browser Forum Validation WG List < <mailto:validation at cabforum.org> validation at cabforum.org>
Cc: Peter Bowen < <mailto:pzb at amzn.com> pzb at amzn.com>
Subject: Re: [cabf_validation] Use of underscore in DNS auth

 

 

*         bin.coffee

 

That is acceptable.  

 

*         _usr.bin.coffee

 

So is this because it is _<something>.bin.coffee.  _super-validation.bin.coffee is also acceptable.

 

On Nov 17, 2016, at 10:11 AM, J.C. Jones via Validation < <mailto:validation at cabforum.org> validation at cabforum.org> wrote:

 

Oh, you're right of course, Peter. the _ prefix label wasn't a requirement. My apologies.

Let me correct that message:

The following are permitted record names to put the Random Value for usr.bin.coffee:

*         usr.bin.coffee

*         _myca.usr.bin.coffee

*         _super-validation.usr.bin.coffee

*         _acme-challenge.usr.bin.coffee

*         _meta.usr.bin.coffee

*         _z.usr.bin.coffee


The following aren't permitted record names to put the Random Value for usr.bin.coffee:

*         usr.local.bin.coffee

*         validation.usr.bin.coffee

*         _usr.bin.coffee

*         _validationusr.bin.coffee

*         validation_usr.bin.coffee

 

On Thu, Nov 17, 2016 at 11:01 AM, Peter Bowen via Validation < <mailto:validation at cabforum.org> validation at cabforum.org> wrote:

There are a number of options allowed by Ballot 169.  If you want to validate control of “ <http://beta.shop.example.com/> beta.shop.example.com”, you can check rrdata (“value”) of the following records to confirm the presence of the random value:

 

 <http://beta.shop.example.com/> beta.shop.example.com IN TXT

 <http://shop.example.com/> shop.example.com IN TXT

 <http://example.com/> example.com IN TXT

_ <http://foo.beta.shop.example.com/> foo.beta.shop.example.com IN TXT

_ <http://quux.shop.example.com/> quux-my-world.shop.example.com IN TXT

_ <http://bar.example.com/> bar---33.example.com IN TXT

 

You can replace “foo”, “quux-my-world”, and “bar—33” with any other combination of letters, numbers, and “-“ ([a-z0-9-]+ in regex notation).

 

You can replace TXT with CAA.

 

Jeremy has proposed also allowing you to replace TXT with CNAME.

 

Does that help?

 

Thanks,

Peter

 

 

On Nov 17, 2016, at 9:54 AM, Doug Beattie via Validation < <mailto:validation at cabforum.org> validation at cabforum.org> wrote:

 

I thought that the DNS record content just needed to begin with _ and there were no other requirements, now I’m confused.

 

Isn’t the DNS record located at an Authorization Domain Name ( <http://foo.example.com/> foo.example.com or  <http://example.com/> example.com) and the record (TXT or CAA) needs to begin with “_” and it needs to contain a Random Value.  In other words, doesn’t the “_” requirement apply to the value not the location?

 

Doug

 

From: Validation [ <mailto:validation-bounces at cabforum.org> mailto:validation-bounces at cabforum.org] On Behalf Of Rick Andrews via Validation
Sent: Thursday, November 17, 2016 12:39 PM
To: 'validation' < <mailto:validation at cabforum.org> validation at cabforum.org>
Cc: Rick Andrews < <mailto:Rick_Andrews at symantec.com> Rick_Andrews at symantec.com>
Subject: [cabf_validation] Use of underscore in DNS auth

 

On today’s VWG call, Peter mentioned the language about underscore in DNS auth. Here’s the section:

3.2.2.4.7 DNS Change

Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value

or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization

Domain Name that is prefixed with a label that begins with an underscore character.

Upon re-reading this, I see that I did not interpret it properly; it seems to exclude using DNS records for _ <http://foo.example.com/> foo.example.com if I’m trying to validate  <http://foo.example.com/> foo.example.com. So I can use _ <http://validation.foo.example.com/> validation.foo.example.com or _ <http://validation.example.com/> validation.example.com. Anyone disagree?

-Rick

_______________________________________________
Validation mailing list
 <mailto:Validation at cabforum.org> Validation at cabforum.org
 <https://cabforum.org/mailman/listinfo/validation> https://cabforum.org/mailman/listinfo/validation

 


_______________________________________________
Validation mailing list
 <mailto:Validation at cabforum.org> Validation at cabforum.org
 <https://cabforum.org/mailman/listinfo/validation> https://cabforum.org/mailman/listinfo/validation

 

_______________________________________________
Validation mailing list
 <mailto:Validation at cabforum.org> Validation at cabforum.org
 <https://cabforum.org/mailman/listinfo/validation> https://cabforum.org/mailman/listinfo/validation

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/f6b1ccec/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/f6b1ccec/attachment-0001.bin>