For additional visibility to the WG, the largest change in this version is switching the terminology from "random tokens" to "unique tokens" (of which random is one type). There is also discussion of the associated security properties. This better matches with a many of the best-practice uses we've inventoried in the survey --- especially given the public nature of the DNS the security properties don't come from the secrecy of validation records but that they can demonstrate a causal relationship from a request for validation and the validation record appearing, as well as intent on behalf of the domain owner.
With the changes here, and in discussions with the authors of draft-sheth-identifiers-dns, we believe that draft-ietf-dnsop-domain-verification also now subsumes the need for draft-sheth-identifiers-dns. Erik On Fri, Oct 17, 2025 at 12:06 PM Tim Wicinski <[email protected]> wrote: > All > > We published an update to this draft earlier this week. We did document > and wording cleanup; chased down some issues; working to align with the > draft-ietf-dnsop-integration draft, etc. > > We removed the sections on Multiple Intermediaries, but we are considering > adding something back discussing this. This behavior is showing up more and > more especially with larger organizations that work with multiple CDNs. > Currently the survey on Domain Control Validation Techniques is stored in > the document git repo > https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/blob/main/DomainControlValidation-Survey.md > > We asked for agenda time in Montreal, but barring that we'd like to hear > what is still outstanding. > > > thanks > tim > > > > > > > ---------- Forwarded message --------- > From: <[email protected]> > Date: Mon, Oct 13, 2025 at 4:26 PM > Subject: I-D Action: draft-ietf-dnsop-domain-verification-techniques-10.txt > To: <[email protected]> > Cc: <[email protected]> > > > Internet-Draft draft-ietf-dnsop-domain-verification-techniques-10.txt is > now > available. It is a work item of the Domain Name System Operations (DNSOP) > WG > of the IETF. > > Title: Domain Control Validation using DNS > Authors: Shivan Sahib > Shumon Huque > Paul Wouters > Erik Nygren > Tim Wicinski > Name: draft-ietf-dnsop-domain-verification-techniques-10.txt > Pages: 19 > Dates: 2025-10-13 > > Abstract: > > Many application services on the Internet need to verify ownership or > control of a domain in the Domain Name System (DNS). The general > term for this process is "Domain Control Validation", and can be done > using a variety of methods such as email, HTTP/HTTPS, or the DNS > itself. This document focuses only on DNS-based methods, which > typically involve the Application Service Provider requesting a DNS > record with a specific format and content to be visible in the domain > to be verified. There is wide variation in the details of these > methods today. This document provides some best practices to avoid > known problems. > > The IETF datatracker status page for this Internet-Draft is: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/ > > There is also an HTML version available at: > > https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-10.html > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-10 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > I-D-Announce mailing list -- [email protected] > To unsubscribe send an email to [email protected] > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
