Shivan Kaul Sahib <shivankaulsa...@gmail.com> wrote: > Hi all, Shumon and I have been working on an early draft that surveys > current DNS domain verification techniques. Depending on how it goes, we > hope to eventually explore if we can come up with some best practices.
This looks like a useful document! One thing that's operationally awkward for me is how some providers do one-time verifications, and others re-validate periodically. I suppose there is another distinction between static re-validation done by (e.g.) Google, and dynamic renewal as required by ACME. Best practice for providers ought to be to document re-validation requirements very prominently and clearly. (In my experience the common ones are not too bad but occasionally we have to guess, so maybe a service stops working for mysterious reasons 30 or 90 days later.) It's kind of ugly the way static verification records clutter up the place, but on the other hand it is a useful protection against subdomain takeover attacks. So I hope that this document will have a good survey of the security considerations. Here's an overview of subdomain takeovers https://www.csoonline.com/article/3601007/how-to-avoid-subdomain-takeover-in-azure-environments.html Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Southeast Fitzroy: Northerly or northeasterly 5 to 7, occasionally gale 8 at first. Moderate or rough. Fair. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
