Reading this thread and the GitHub issue that spawned it, it is clear that even the co-authors of draft-ietf-dnsop-domain-verification-techniques do not agree on how to handle persistence of validation, much less agreement among WG participants. This may be due to lack of real-world experience with persistent validation, even though we have plenty of experience with single shared secret validation for one instant.
draft-sheth-identifiers-dns is a good start at thinking about the differences between persistent validation and single shared secret validation. It seems safe to limit draft-ietf-dnsop-domain-verification-techniques to just the latter, and hopefully the WG adopts draft-sheth-identifiers-dns and has more discussion about what might become best practices there. I'm posting here because just last week I thought that draft-sheth-identifiers-dns should be part of draft-ietf-dnsop-domain-verification-techniques because there was general agreement on what were best practices. I was wrong, and the more that I thought about what I would say were best practices for persistence validation, the more I realize that I hadn't thought enough about the operational and security considerations. Given that, I propose that draft-ietf-dnsop-domain-verification-techniques be narrowed to only cover the best current practices for shared secret validation, and get that published sooner rather than later. I further propose that draft-sheth-identifiers-dns be adopted by the WG, on the assumption that it starts with the same naming scheme from draft-ietf-dnsop-domain-verification-techniques. --Paul Hoffman _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
