Skip to content

Add dnsdoctor.dev.domainverify template#1368

Open
KayF wants to merge 1 commit into
Domain-Connect:masterfrom
KayF:add-dnsdoctor.dev-domainverify
Open

Add dnsdoctor.dev.domainverify template#1368
KayF wants to merge 1 commit into
Domain-Connect:masterfrom
KayF:add-dnsdoctor.dev-domainverify

Conversation

@KayF

@KayF KayF commented Jul 11, 2026

Copy link
Copy Markdown

Description

Adds dnsdoctor.dev.domainverify.json — a domain-ownership verification template for
DNS Doctor (dnsdoctor.dev), an email & DNS health scanner with
optional monitoring. Before we start monitoring a domain we ask the owner to prove control
of it by publishing one TXT record; today that means copy-pasting the record into their DNS
host by hand, which is where a lot of people drop off. This template lets a supporting DNS
provider apply that record in one click instead.

It's a single TXT record — host _dnsdoctor-challenge, value dnsdoctor-verify=%token%,
where %token% is the per-domain code we issue when the user adds a domain. Nothing about
it is destructive: it's an inert proof record the user can delete once verification passes.

Requests are signed per the spec's digital-signature scheme: syncPubKeyDomain is set to
dnsdoctor.dev, the RS256 public key is published as TXT at _dck1.dnsdoctor.dev
(p=1/p=2 chunks, reassembling to the SPKI), and our service signs each apply URL's
query string (sig + key=_dck1). providerId is dnsdoctor.dev, a zone we operate —
happy to complete any ownership check you need against it.

Type of change

  • New template
  • Bug fix (non-breaking change which fixes an issue in the template)
  • New feature (non-breaking change which adds functionality to the template)
  • Breaking change (fix or feature that would cause existing template behavior to be not backward compatible)

How Has This Been Tested?

Please mark the following checks done

  • Template functionality checked using Online Editor — "Check template" is clean; apex + subdomain apply tests below
  • Template file name follows the pattern <providerId>.<serviceId>.jsondnsdoctor.dev.domainverify.json
  • resource URL provided with logoUrl is actually served by a webserver — N/A: logoUrl is not set on this template

Also validated against template.schema (passes) and with dc-template-linter: no warnings or errors, only info-level notes — DCTL1021 on the custom _dnsdoctor-challenge label (expected for a verification host that isn't an IANA-registered underscore name), and under -cloudflare, DCTL5008 noting Cloudflare ignores txtConflictMatchingMode (informational; the field is kept for providers that do honor it).

Checklist of common problems

  • syncPubKeyDomain is set — dnsdoctor.dev; public key TXT is live at _dck1.dnsdoctor.dev, every apply URL carries sig + key=_dck1
  • warnPhishing is not set alongside syncPubKeyDomain — correct, only syncPubKeyDomain is set
  • syncRedirectDomain is set whenever the template uses redirect_uri in the synchronous flow — N/A: our flow does not send redirect_uri, so it is intentionally omitted
  • no TXT record contains SPF content ("v=spf1 ...") — correct, the only TXT carries a dnsdoctor-verify= ownership token, never SPF
  • txtConflictMatchingMode is set on every TXT record that must be unique — set to Prefix with prefix dnsdoctor-verify=, so re-verifying a domain replaces the prior token instead of stacking duplicate records
  • no variable is used as a bare full record value — the record data is dnsdoctor-verify=%token%; the variable is only the token, anchored by the fixed dnsdoctor-verify= prefix, so it can't be repurposed into an arbitrary record
  • no bare variable is used as the full host label — the host is the fixed literal _dnsdoctor-challenge; no variable appears in it
  • no variable is used in the host field to create a subdomain — correct; the record targets a fixed host and relies on the standard host parameter for subdomain placement
  • %host% does not appear explicitly in any host attribute — confirmed clean
  • essential is set to OnApply on records the end user may need to modify or remove — N/A: the template is a single inert proof record; there is no secondary/removable record whose loss would leave the template half-applied

Online Editor test results

Editor test link(s):

The apex test applies _dnsdoctor-challenge.example.com. TXT "dnsdoctor-verify=<token>"; the
subdomain test (host=shop) applies _dnsdoctor-challenge.shop.example.com. TXT "..." — the
record follows the host parameter as expected.

Domain ownership verification for DNS Doctor via a single signed TXT record.
@github-actions

Copy link
Copy Markdown

JSON Filename Check Passed

@github-actions

Copy link
Copy Markdown

JSON Schema Validation Passed

@github-actions

Copy link
Copy Markdown

PR Description Check Passed

All required sections are filled in correctly.

Details
  OK  Type of change: 1/4 checkboxes ticked
  OK  How Has This Been Tested?: all 3 checkboxes ticked
  OK  Checklist of common problems: 10/10 checkboxes ticked
  OK  Online Editor test results: 2 link(s) found
  OK  Template coverage: all 1 template(s) covered
Labels to remove: Checklist of common problems not complete, Forged editor links, PR description incomplete, Test links missing

PR description check PASSED

@github-actions

Copy link
Copy Markdown

Linter OK

dnsdoctor.dev.domainverify.json

Level Code Note
info DCTL1021 missing from iana definitions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant