Background

To better understand my request I describe my setup first. I host my Gentoo installation guide on Cloudflare Pages. To get things working I must have a DNS record as shown in the following code block. There is no alternative provided by Cloudflare.

❯ delv +nodnssec cname gentoo.duxsco.de
; fully validated
gentoo.duxsco.de.	294	IN	CNAME	gentoo-installation.pages.dev.

Unfortunately, this doesn't allow for any other DNS record, and that's a limitation of using CNAME records. So, a TXT record as outlined in the Keyoxide docs is not possible.

Google's Approach

Thus, I suggest a solution similiar to the one provided in the Google Search Console (formerly: Google Webmaster Tools).

As usual, they support TXT records:

screenshot

In addition, the "CNAME record" approach is supported, but you can use a subdomain which means you'll have the following DNS record that wouldn't interfere with any preexisting CNAME record.

❯ delv +nodnssec cname 5ib6t6yu6awy.example.duxsco.de
; fully validated
5ib6t6yu6awy.example.duxsco.de.	294	IN	CNAME	gv-fiyujhu5bw4inc.dv.googlehosted.com

screenshot

My request

Keyoxide should support a DNS proof where a subdomain of "gentoo.duxsco.de" is used. It can be either a predefined subdomain, e.g. "keyoxide-proof.gentoo.duxsco.de", or some hash prepended to "gentoo.duxsco.de", e.g. "ur4378rzeaf.gentoo.duxsco.de". I think the "predefined subdomain" approach is sufficient.

I like the idea and we should definitely have a TXT-less method.

I see two issues with the keyoxide-proof.gentoo.duxsco.de approach:

  • can verify only one identity profile
  • doesn't actually verify (no link back to key)

Maybe I wasn't understanding something and my second point is wrong.

The way I see it, it probably needs to be some base16 hash of the fingerprint, such that abc123.domain.tld is a proof for the domain.tld claim where abc123 is the hash of the fingerprint claiming domain.tld.

Actually, I don't mind TXT records. I was thinking of the following record as a fallback for a TXT record on gentoo.duxsco.de:

❯ delv +nodnssec txt keyoxide-proof.gentoo.duxsco.de
; fully validated
keyoxide-proof.gentoo.duxsco.de.		300	IN	TXT	"$argon2id$v=19$m=64,t=512,p=2$YocylHySy6KH1byM8rLxiA$PxMm6eBkzsyDJwsb57uFgQ"

That way, we don't have to cope with the limitations of the CNAME record:

❯ delv +nodnssec cname gentoo.duxsco.de
; fully validated
gentoo.duxsco.de.	294	IN	CNAME	gentoo-installation.pages.dev.

CNAME+TXT is smart but then what is the benefit over TXT-only? gets epiphany Right, so you can't have TXT on your root domain, but you can CNAME a subdomain to your root and then put the TXT on that subdomain. Clearly I don't know enough about CNAME.

In which case, yes it would be preferable to use a predefined ariadne-proof subdomain!

If you have a CNAME record on foo.bar.org, any other record like TXT on foo.bar.org is disallowed. The CNAME record must be the one and only one.

Alright, yeah you said that, my bad.

So the predefined subdomain isn't directly linked to the main domain, only indirectly by being the subdomain of the domain to verify. That works!

2 years later

  • ambv

    • Post #7

    To summarize what is needed here:

    • when you want to claim a domain like funny.example.net,
    • but your DNS configuration is using CNAME for funny.example.net,
    • then there needs to be a way to put the DNS TXT proof on a subdomain of that like ariadne.funny.example.net.

    This still seems currently impossible.