Internet Engineering Task Force V. Binotto Internet-Draft V434 Project Intended status: Informational 23 September 2023 Expires: 26 March 2024 A method to declare domain names that are not a subdomain of the primary domain as trustworthy draft-valentinbinotto-verifyrootdomain-00 Abstract This document describes a method by which the owners/administrators of a specific domain name can declare other domain names, which are not subdomains of the primary domain but are used by the owners/ administrators of the primary domain, as trusted by using TXT records in the DNS zone of the primary domain. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 26 March 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Binotto Expires 26 March 2024 [Page 1] Internet-Draft Verifying domain names September 2023 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 2. The Specification . . . . . . . . . . . . . . . . . . . . . . 2 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 5.1. Normative References . . . . . . . . . . . . . . . . . . 3 5.2. Informative References . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction Internet infrastructure providers sometimes use different domain names that are not hierarchically related. This can make it unclear whether a domain name can be trusted because the infrastructure provider simply uses a second domain name for a part of his infrastructure or network, or if it is a maliciously registered domain name that aims to pretend legitimacy. When using subdomains, this problem does not arise because with a trusted parent domain name, it can be assumed that the corresponding subdomain is also legitimate and trustworthy. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. The Specification A TXT record ([RFC1035]) MUST be created in the authoritative DNS zone under the subdomain "vroot" below the primary domain of an infrastructure provider. In this entry, in addition to the corresponding entries in the WHOIS database ([RFC1834]), the first name and last name of the root domain owner MUST be recorded in such a TXT record. Both the first name and last name are written in lowercase and separated by a period. vroot.valentin-43-44.org. IN TXT "valentin.binotto" In another TXT record, under the subdomain "vroot", MAY can be defined which other domain names are also used by the infrastructure provider. This enumeration does not include subdomains of the primary domain. The listed domain names SHOULD be defined as close Binotto Expires 26 March 2024 [Page 2] Internet-Draft Verifying domain names September 2023 to the domain-root as possible, which means that, for example, individual subdomains of "example.com" SHOULD NOT be listed if the security and trustworthiness of "example.com" itself and all its subdomains below can be guaranteed. vroot.example.net. IN TXT "example.com:example.org" 3. Security Considerations According to the author, no security considerations apply to this document. 4. IANA Considerations This document has no IANA actions. 5. References 5.1. Normative References [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC1834] Gargano, J. and K. Weiss, "Whois and Network Information Lookup Service, Whois++", RFC 1834, DOI 10.17487/RFC1834, August 1995, . 5.2. Informative References [RFC1464] Rosenbaum, R., "Using the Domain Name System To Store Arbitrary String Attributes", RFC 1464, DOI 10.17487/RFC1464, May 1993, . Author's Address Valentin Binotto V434 Project Binotto Expires 26 March 2024 [Page 3] Internet-Draft Verifying domain names September 2023 Email: valentin.internetdrafts@v434project.com Binotto Expires 26 March 2024 [Page 4]