Thanks Tony! Best practice for providers ought to be to document re-validation > requirements very prominently and clearly. (In my experience the common > ones are not too bad but occasionally we have to guess, so maybe a service > stops working for mysterious reasons 30 or 90 days later.) >
Agreed! We currently have some text in section 4.3 <https://www.ietf.org/archive/id/draft-sahib-domain-verification-techniques-02.html#name-time-bound-checking> around time-bound checking but we should add this. I raised an issue <https://github.com/ShivanKaul/draft-sahib-domain-verification-techniques/issues/19> . > > It's kind of ugly the way static verification records clutter > up the place, but on the other hand it is a useful protection against > subdomain takeover attacks. So I hope that this document will have a good > survey of the security considerations. > > Here's an overview of subdomain takeovers > > https://www.csoonline.com/article/3601007/how-to-avoid-subdomain-takeover-in-azure-environments.html My understanding of subdomain takeovers is that it happens because of dangling records. Would you mind expanding on this? > > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> https://dotat.at/ > Southeast Fitzroy: Northerly or northeasterly 5 to 7, occasionally > gale 8 at first. Moderate or rough. Fair. Good. > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop