[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Thu, 29 May 2025 11:14:46 -0700 

It appears that Paul Hoffman  <[email protected]> said:
>>> A persistent record is not a DCV mechanism because it no longer meets the 
>>> security model in the draft. ...

>> I would just document the fact that the threat model is different and move 
>> on.  I realize that
>> in principle an on-path attacker has more opportunity to return fake 
>> results, but it is my
>> impression that situations with malicious fake results, and particularly 
>> fake results that
>> wouldn't be apparent immediately, are quite rare.
>
>If the WG goes with "they are rare", then there is no need for the random 
>number, which would be a hard sell to the security community. I still think it 
>is better
>to have this document have the well-understood security model for initial 
>verification (and state it better), and a different draft for persistence with 
>a
>different security model (that is stated at all, since it is not in the 
>current draft). We have lots of use cases for the former, but few 
>commonly-seen ones for
>the latter.

When I look at the TXT records on any large organization's DNS apex, I find it 
hard to believe
that all of those records are just one time DCV that they forgot to remove.

R's,
John

PS: Don't miss the base64 JSON records in Apple's DNS.

$ host -t txt apple.com
apple.com descriptive text 
"google-site-verification=8M6XjQCzydT62jk8HY3VXPAG-nKDllTRV-JpA3-Ktyw"
apple.com descriptive text 
"google-site-verification=L5kkMdiFI8npvb6KlHui84fJaCw5G64DWhaDRIAT4_c"
apple.com descriptive text 
"google-site-verification=zBSq1mG5ssu2If-C17UAz_MzSZDcx03MVxmeDwMNc5w"
apple.com descriptive text 
"Dynatrace-site-verification=7d881a7c-c13f-4146-9d27-2731459e2509__iqls0105tagglcsaul0m16ibrf"
apple.com descriptive text 
"cisco-ci-domain-verification=6f3bfb849796a518061f8e8c4356f687a138502d86db742791685059176547dd"
apple.com descriptive text 
"atlassian-domain-verification=mLabq99iaT8kquJechF6l31FAYoNUe3WB7tLpLFUiUYVJCse9SKq83hOJzFkwqrh"
apple.com descriptive text 
"json:eyJ3aHkiOiJUaGlzIGlzIHRvIHRydW5jYXRlIFVEUCByZXNwb25zZXMgZm9yIFRYVCBxdWVyaWVzIHRvIGFwcGxlLmNvbSIsInBhZGRpbmciOiJpZW4wYWVHaGF0aG9oNmhhaHZpZWphaTNlYXkwYWh2YWhjaGFocXVhZWxlZTBZdWw0cGhpZXRoMHNvNXZpZXllZWNvaDRpZThzaGVlcGllVDNwYWVjaGVpVjZqb2h3aWVwaG82In0K"
apple.com descriptive text 
"json:eyJ3aHkiOiJUaGlzIGlzIHRvIHRydW5jYXRlIFVEUCByZXNwb25zZXMgZm9yIFRYVCBxdWVyaWVzIHRvIGFwcGxlLmNvbSIsInBhZGRpbmciOiJxdWFoMGVpamFhNGVlajh0aWVkYWlnaG9jZWljaGFlOGVUb3ppZTVmdTVhaFRoMldlaU00aWsyaHVxdThpZXBoaWVxdW9oc2hlaXBhZWdoOUthZWw3b2NoaWVuZ2llem9lc2g1In0K"
apple.com descriptive text "77a4a6de-da14-449c-83c4-85366e0f55f9"
apple.com descriptive text "apple-domain-verification=X5Jt76bn3Dnmgzjj"
apple.com descriptive text 
"cerner-client-id=22dd1d8a-5e8b-4e1e-80ef-39bcdfd42798"
apple.com descriptive text 
"cerner-client-id=ce3abf18-ee87-43b9-9927-9eb24b4bac4a"
apple.com descriptive text 
"ValidationTokenValue=77a4a6de-da14-449c-83c4-85366e0f55f9"
apple.com descriptive text 
"miro-verification=2494d255c4c50b1e521650a0659cbf3fa08b0072"
apple.com descriptive text 
"facebook-domain-verification=n6cqjfucq6plswmtfbwnbbeu1qiq3v"
apple.com descriptive text "v=spf1 include:_spf.apple.com 
include:_spf-txn.apple.com ~all"
apple.com descriptive text 
"adobe-idp-site-verification=6bd5e74c-a3a0-4781-b2e1-e95399b5e11c"
apple.com descriptive text 
"webexdomainverification.8C462=b728ec3f-dfc9-42f9-92cb-9ba8853cbee8"
apple.com descriptive text 
"yahoo-verification-key=Ay+djyw0qWQgXKWGA/jstjYryTMrKb+PBXI5l8u5/jw="

$ host -t txt nvidia.com
nvidia.com descriptive text 
"onetrust-domain-verification=a82a3dc15f9f4b5ba1ebebc75ee8880d"
nvidia.com descriptive text 
"facebook-domain-verification=8xnj9c1jc5elzjmp75cud9ty4ddqe1"
nvidia.com descriptive text 
"google-site-verification=Bgm4VneS70f1CGZKg-D3tGoEQYxxHm56CH1v8frb1OA"
nvidia.com descriptive text 
"atlassian-domain-verification=TkpNmmgTUPTLgab1/pTD1DQIwSM2wKR38idvHtF1/yzRlc7ajVBMnJ1PSdIwPYH+"
nvidia.com descriptive text 
"MagCfj2QvpMlValiiUpfiQk20jX6TQiVe2kRGvpC9oO5ndpTc5Lg2Rp4EPVYKjvIb/8f4U5tRMD8uqIuaYRh8g=="
nvidia.com descriptive text 
"webexdomainverification.4faf3ee01037479be053ad06fc0aecb4=d1b282f3-54e0-4575-9fac-cfd9a87b4d3b"
nvidia.com descriptive text 
"docker-verification=c9680cb5-881b-4f8b-a803-42a918cdcf57"
nvidia.com descriptive text "v=spf1 
include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
nvidia.com descriptive text 
"stripe-verification=87E8E0C1E618E41698A141FFBEF22C7F77D5AC285CD7404907CFB4D131F7BFFF"
nvidia.com descriptive text "4mq1tkhh4a1ah00o7fpl6l9e0g"
nvidia.com descriptive text 
"slack-domain-verification=JdqDQf1IlTnyYj3bjoNb5vAAQNY43wTMTka9JV6L"
nvidia.com descriptive text "docusign=a95fd649-319d-4f9d-b832-6925ebd520fd"
nvidia.com descriptive text "1pq0y02mf1v1m7k3lr86vyxmy4y2c68b"
nvidia.com descriptive text 
"openai-domain-verification=dv-NvYhgg87YsmEx1yhbZSJrBhQ"
nvidia.com descriptive text "ZOOM_verify_8gBBD3UzStWKA3mt6lwsTA"
nvidia.com descriptive text "b47c0mpmnsxbg005dw6b5jpft3smyxc0"
nvidia.com descriptive text "MS=ms46230291"
nvidia.com descriptive text 
"wrike-verification=MzkwOTExMDpiYjg3NmMwYTY1MjhjODk1NWY1MzZiZDQxMDljOGU5ZjMyYTIzYjNlZmYyNGQ4ZDViY2FlYjdhODkzNjMwMzBm"
nvidia.com descriptive text "mtdg5mrgrnvpqfxgzd0cyl6281w2qd83"
nvidia.com descriptive text 
"stripe-verification=99D9E45F72AD5546982F73E692E6BF04557C64DAB69C66E6200EE7B88D8BFF58"
nvidia.com descriptive text 
"xr3$HxkR2hjQBd6n8xLZeKkT2Weed2I&5t3srsv6yXqgeoGxwB#tZXM#e8JPGTJor^H#e1zRQO8@7fZmWeFrlhDhe4v01Ij%^c7"
nvidia.com descriptive text "kp6v5hv1mb3vfdljx9tgwd4l937vd14y"
nvidia.com descriptive text "jxp4dypdbq8k2qfh3csbxqk3mhtt3bc2"
nvidia.com descriptive text 
"amazonses:tiDUkAUORs6LGjJXT0/6lf7qhM1Z/k+5ax6kvycH0KU="
nvidia.com descriptive text "705HTG3G6VA7V2IN61PSCVLMDC"
nvidia.com descriptive text 
"google-site-verification=2-satGFR6KHGOFKHt9pAAhY4xpgq1pmusepMak2uuFw"
nvidia.com descriptive text 
"ciscocidomainverification=5fdcd1977e45fc341a83e8f8c0149146995952cd51fb04a9d1b950717f6e5647"
nvidia.com descriptive text 
"duo_sso_verification=TzxwSiyiqBThbUymIdN9VVIm6xPyKGCFQZZX6Gt8DBsSqPlhDgAz8H4maEwMKEZo"
nvidia.com descriptive text 
"onetrust-domain-verification=94a8e142562349faa2ba5529c6cbdc30"
nvidia.com descriptive text "sonatype-verification=OSSRH-58518"
nvidia.com descriptive text "bua5v23vah91dl7u8q18uqeqi2"
nvidia.com descriptive text 
"teamviewer-sso-verification=2b7c86a77be24f7b8573b688a8e22e12"
nvidia.com descriptive text "37e5g68gjeqgjjc64hlihvgiim"
nvidia.com descriptive text "yandex-verification:" "050a0e32621f5209"
nvidia.com descriptive text 
"smartsheet-site-validation=GesD_luIWHnX8PgyzkdwkP4zgJbEnWFG"
nvidia.com descriptive text 
"amazonses:SJniAvY8SFy0o9cZGRDXV8eDcQ5oyo+QNtLHM37omUY="
nvidia.com descriptive text "2bv8cxn82sdc4jf5k46r4yjymyq99kx5"
nvidia.com descriptive text "apple-domain-verification=BVP359YB3NqbMfZN"
nvidia.com descriptive text "xz3kx787d2v3sybkp648jh2xpb41w7ss"
nvidia.com descriptive text 
"mailigen-site-verification=58788cc4908d5697c6ea4801a7fea3f6"
nvidia.com descriptive text "6pz5xms6zpn4mngxrgm8xj6v2btwff06"
nvidia.com descriptive text 
"wrike-verification=MzQ5MDMzNjoxNGE4MDkxMDAyYzEyNGU5YWQxNGVhYWI4ZjkzNzhhMmIwZWY4MzViYWVkZTZjZjk3YjhhYWYxNTgzYTc0ZWVl"
nvidia.com descriptive text "ek0aq24s0hi15hq4tqtkqjj1aj"
nvidia.com descriptive text "_xcqf40cqfhy8igzqdkbjdyb4nys65u9"
nvidia.com descriptive text "docusign=96779a1c-034b-4e45-b43d-d542d10e71ec"
nvidia.com descriptive text 
"airtable-verification=d6d9ca2bacc2c108daad98a586ea9ae7"
nvidia.com descriptive text "mn7s1rhpyt62qychj30kwqglk6m0xbf7"
nvidia.com descriptive text "rbdnz94w8kspd08l35ddj10s25lzfsn3"
nvidia.com descriptive text "gkr1fe2hai0i5lpj2jqmatdp4t"
nvidia.com descriptive text "cxqdvl1xsmlvpwd2xd11mbp6tk4b2fn9"
nvidia.com descriptive text 
"aliyun-site-verification=47b62ce6-8506-41f0-bb2f-07b3a645d506"
nvidia.com descriptive text 
"apple-domain-verification=AB3LxniJsUaLUcY5HvdpX1R8DTt0wK00TTlz9bLWYqA"
nvidia.com descriptive text "596hdfxvpnrhgnb5h0rd9jmpy5dgnmxm"
nvidia.com descriptive text 
"mongodb-site-verification=ROIaNgdagjgVhIzbnNJrLtHAQerIZZ7G"
nvidia.com descriptive text "7iv8kqoklj3k99ad2hm1i3rp5u"
nvidia.com descriptive text "8cm9gxpghxsp9574p1nz7qyvfnsp7j8p"
nvidia.com descriptive text 
"perplexity-ai-domain-verification-q7nwx7=rsQck5ZDngPVcnFaBeEOnq8yy"
nvidia.com descriptive text 
"webexdomainverification.4C675B8BC9F4B136E053AB06FC0A3F65=7bca8485-5ef5-41d8-9095-9faeb8267f22"
nvidia.com descriptive text 
"webexdomainverification.JUIU=a2070f62-2329-43d5-a745-0506cd1e0be8"
nvidia.com descriptive text "lptj19vv8ny9w6g7x730jr81fwjj5js1"

$ host -t txt stanford.edu
stanford.edu descriptive text "e2ma-verification=nw5fb"
stanford.edu descriptive text 
"airtable-verification=0a746053a028476f6d1671cbc9016585"
stanford.edu descriptive text "e2ma-verification=7uqeb"
stanford.edu descriptive text 
"atlassian-domain-verification=C9ho3V/RWWifTCqh8sF3L0PI7jVZWAL9dCxVL1gzJvr6SYJCKBQ8nCX38z50vRQ6"
stanford.edu descriptive text "brevo-code:09357c2630559d902817770f34dbf0b1"
stanford.edu descriptive text 
"stripe-verification=984c5a4eb98ae34bbaf60c12403c1d8889d4ad02b2dc672232a89b21f905bc20"
stanford.edu descriptive text "e2ma-verification=dy8eb"
stanford.edu descriptive text 
"wiz-domain-verification=2957e22f41cc73b19d44177ecf39bd1a1926a1e6362011b8f83e65aab5d6ef1a"
stanford.edu descriptive text 
"google-site-verification=p4uNfSaD7rr13xbA1Q1yW6I0DckXOv1ujjc0FQGjGEM"
stanford.edu descriptive text "e2ma-verification=98lgb"
stanford.edu descriptive text 
"google-site-verification=kyvps-t3mjXwz5HBQa7oO40qvObbV8z_B1IoySwe-GY"
stanford.edu descriptive text 
"bwZknJMLNV1XuaJAyUmKlAFrdZo+p5yDlTNACmDUWhgtyihfJc8oWMnK7hWLreN+ozU3mX91yHHzZx0adJPPPg=="
stanford.edu descriptive text 
"google-site-verification=C6QZVcR4K-mSTqLE_9uVC7twZdys_BRJLLVFwgGIG3E"
stanford.edu descriptive text 
"onetrust-domain-verification=1e6b4a2989b7412499dca24f8188396b"
stanford.edu descriptive text "SFMC-6lLIlwvbCaTM80Tq1R1zsnKi9CqM3R6ZPPvoE6sK"
stanford.edu descriptive text "e2ma-verification=6uqeb"
stanford.edu descriptive text 
"airtable-verification=94cdd68161a8e41e92cc5dd7abde8eae"
stanford.edu descriptive text "e2ma-verification=5g5eb"
stanford.edu descriptive text "e2ma-verification=b00eb"
stanford.edu descriptive text 
"detectify-verification=bc8e96f8fbf64ced057d0f44eff83381"
stanford.edu descriptive text 
"autodesk-domain-verification=pXMpLf7JP-86kN9Zt5jI"
stanford.edu descriptive text "e2ma-verification=k4dgb"
stanford.edu descriptive text 
"google-site-verification=bamHrkKBqpOQ8ouXQe0uFSuvVUFTB_TLju7gSCNq_Qw"
stanford.edu descriptive text "e2ma-verification=avqab"
stanford.edu descriptive text 
"amazonses:7IodrIPH40wdjQxliaAOOqSX8rn4q7lSiSvuFZPwUnY="
stanford.edu descriptive text 
"google-site-verification=zwyVSZ2CSXXUndqTu5itEDFvp58bOFVBPAbtrIondBU"
stanford.edu descriptive text "e2ma-verification=8z0eb"
stanford.edu descriptive text "e2ma-verification=a00eb"
stanford.edu descriptive text "e2ma-verification=diffb"
stanford.edu descriptive text "e2ma-verification=4g5eb"
stanford.edu descriptive text 
"adobe-idp-site-verification=4c872117a60d5c3b7d132914730b3f3e2189c67a217450a2f3bc18a683a98f78"
stanford.edu descriptive text 
"onetrust-domain-verification=2983144927f6450ea12b5557b2080dae"
stanford.edu descriptive text "e2ma-verification=gu1ab"
stanford.edu descriptive text 
"pardot884873=1b7cebffc22a290049b6710c0620e741a3f4d3a720196287a95816f9afaa7695"
stanford.edu descriptive text 
"mgverify=c7c142ba8b95199619ad561a75f165ad285c322b3892f9621c083b0293fd0da0"
stanford.edu descriptive text "e2ma-verification=vnjbb"
stanford.edu descriptive text 
"htBOpqv5il135Xfa09GRiVHY09Xb9qXNj6o5lAfj8gNoBvyyGu5rSb4gvSj9lCUwY1NF0+wL2BO1ZDIcGIpADQ=="
stanford.edu descriptive text "e2ma-verification=w4lgb"
stanford.edu descriptive text "e2ma-verification=nbxfb-remove"
stanford.edu descriptive text "e2ma-verification=7x8eb"
stanford.edu descriptive text "jamf-site-verification=YL4ixnZvLipoTrfg2RUwsg"
stanford.edu descriptive text "e2ma-verification=4x8eb"
stanford.edu descriptive text "e2ma-verification=cvnbb"
stanford.edu descriptive text 
"airtable-verification=b8f5e3c2468d582f896b4a8f0839dd8a"
stanford.edu descriptive text "e2ma-verification=d1ueb"
stanford.edu descriptive text "e2ma-verification=q57fb"
stanford.edu descriptive text "blitz=mu-0e24b17b-23dce65a-c0b14b75-e742cd66"
stanford.edu descriptive text "e2ma-verification=7z0eb"
stanford.edu descriptive text 
"google-site-verification=n-cl_O68vbC-_UmufTZMmLLQb9wKnuUo-4FPom4m3iA"
stanford.edu descriptive text "Sendinblue-code:bde1f306529e82fd2ccf9857fc09aa98"
stanford.edu descriptive text "e2ma-verification=nbxfb"
stanford.edu descriptive text "e2ma-verification=4pjbb"
stanford.edu descriptive text 
"airtable-verification=13ac52fb202035dbad35b0ab24e598b4"
stanford.edu descriptive text 
"sending_domain1097582=7dcf00de01f5fc8307de59194e0a8b462cbfa2b5e32d35bfc9e5269b93dca7a6"
stanford.edu descriptive text 
"google-site-verification=1HuKdQQTxv1R8v4dxihLzji-mH23d2KchIeaxsljN6Q"
stanford.edu descriptive text "e2ma-verification=m0ggb"
stanford.edu descriptive text "v=spf1 ip4:171.67.219.64/27 ip4:171.67.224.0/28 
ip4:171.67.43.137 ip4:171.67.43.138 ip4:171.67.43.139 ip4:171.67.43.140 
ip4:171.67.43.141  " "include:_spf.google.com include:_spf.qualtrics.com 
include:icpbounce.com include:spf.protection.outlook.com ip4:1" "48.163.149.245 
ip4:148.163.153.235  ip4:148.163.135.119 ip4:148.163.139.119 ip4:67.231.149.169 
ip4:67.231.157.125 ip4:67.231.152.67 ip4:208.84.65.155 ?all"
stanford.edu descriptive text "e2ma-verification=v4lgb"
stanford.edu descriptive text "e2ma-verification=ey8eb"
stanford.edu descriptive text 
"airtable-verification=7cdd67720483f4801fc65d998968476e"
stanford.edu descriptive text "e2ma-verification=fq1fb-remove"
stanford.edu descriptive text "e2ma-verification=8uqeb"
stanford.edu descriptive text "e2ma-verification=n4agb"
stanford.edu descriptive text "e2ma-verification=vaogb"
stanford.edu descriptive text "e2ma-verification=c00eb"
stanford.edu descriptive text 
"pardot604641=4bbe27c356474886816017d9b5aea8f21f2d3c3b651096960379a441342c51fb"
stanford.edu descriptive text "e2ma-verification=fq1fb"
stanford.edu descriptive text 
"notion-domain-verification=zGjaM9fWZoGRyOnvaxST0hfeCzfxvxzJnKMTN69sYJw"
stanford.edu descriptive text 
"h1-domain-verification=aV4vQvSRHvQxGhvdz29L2ozsKDTReL7qKDgdjhPgzA5E7UC6"
stanford.edu descriptive text 
"pexip-ms-tenant-domain-verification=3f0ac106-a365-4d3b-9fb9-2a124f04d0b6"

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to