On Tue, Jul 23, 2024 at 3:56 PM John R Levine <jo...@taugh.com> wrote:
> > > I don't think this is necessary. Some applications do this today, but > > I suspect it is to make it easier to identify the application from the > > sea of verification TXT records at the zone apex. Since the draft > > recommends application specific validation record "owner names", > > that seems to be a better place to make this identification. > > The issue is that a wildcard will match every possible owner name. If you > are confident that there is enough entropy in the tokens that no verifier > will ever be confused, OK. But since the token is supposed to be the only > thing at the _prefix name, how about saying that if a verifier sees more > than one record or a junk record, it gives up rather than trying to guess > which is the right one. > I'm not sure I follow. A wildcard is a match of last resort. If there is an explicit validation record deployed at _foobar.example.com/TXT then a wildcard at *.example.com.TXT (even if it exists) has no bearing on the query for the former. So, no extra unrelated validation records will be returned, and there is nothing to be confused about. On your last point, yes, I think we can say that if a verifier sees multiple validation records, they can abort. If the token is time limited you'd might get a new one for the existing > name but I don't think there should be a case when you'd need to publish > both new and old. As soon as you have the new one you install it and > throw away the old one. > I agree with this. The draft already recommends time limited validation records, and that they should be deleted after verification. Shumon.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
