On Wed, 24 Jul 2024, Shumon Huque wrote:
The issue is that a wildcard will match every possible owner name. If you
are confident that there is enough entropy in the tokens that no verifier
will ever be confused, OK. But since the token is supposed to be the only
thing at the _prefix name, how about saying that if a verifier sees more
than one record or a junk record, it gives up rather than trying to guess
which is the right one.
I'm not sure I follow.
A wildcard is a match of last resort. If there is an explicit validation
record deployed at _foobar.example.com/TXT ...
I'm thinking of someone trying to be clever, domain is parked with a
wildcard that has some kind of TXT records and someone else tries to
hijack it hoping the record from the wildcard will confuse the verifier.
On your last point, yes, I think we can say that if a verifier sees
multiple validation records, they can abort.
That along with the advice to be sure the token is sufficiently random
should do it.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
