Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extension: security.txt in DNS #196

Open
Addvilz opened this issue Sep 16, 2020 · 3 comments
Open

Extension: security.txt in DNS #196

Addvilz opened this issue Sep 16, 2020 · 3 comments

Comments

@Addvilz
Copy link

Addvilz commented Sep 16, 2020

I would like to propose an extension to the standard proposal of security.txt - possibility to publish security.txt using a DNS TXT record.

One of the biggest drawbacks I see with the proposal is that it is only really usable for networks and systems hosting web servers and having a web presence. Internet is complex, and it is not always the case the web server is present, especially when we consider infrastructure networks, hosted for customer service networks that are not easy to verify the final ownership of and similar cases. Sometimes the web server is not available as part of public service, but other services are - email services, custom services, etc. Having a DNS level security.txt entry would certainly help solve all these cases. Having this record would also allow for a way for automated systems to discover security contact information without looking for WWW servers.

In this regard, I would like to propose an optional (???) extension to the security.txt proposal - a DNS TXT record, using public PTR as basis for record resolution.

Example record format

v=security.txt; Contact: mailto:[email protected]; Contact: mailto:[email protected]; Encryption: https://example.com/pgp.key; Preferred Languages: en,es; Policy: https://example.com/example_policy.txt

Example resolution chain

  1. PTR is published for a network resource
  2. PTR resolves to 'host.ex.example.com`
  3. Lookup TXT host.ex.example.com, use security.txt record if found
  4. If no record found, lookup TXT example.com, use security.txt record if found

Edit 1

After some consideration, perhaps instead of allowing for full content of the security.txt in DNS, it could be just a reference on where to find the policy. This could have benefits in reducing load on DNS servers and not having to deal with the 255 char limit for TXT record parts.

v=security.txt; href=https://example.com/security.txt
@nightwatchcyber
Copy link
Contributor

nightwatchcyber commented Sep 16, 2020

Thank you for submitting this. We had multiple DNS recommendations and plan to address once the initial draft is approved as RFC, so at least the contents of the file are standardized.

@Addvilz
Copy link
Author

Addvilz commented Sep 16, 2020

Great! Let me know if there is anything at all I can do to help with this.

@austinsonger
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants