Add dnsdoctor.dev.domainverify template#1368
Open
KayF wants to merge 1 commit into
Open
Conversation
Domain ownership verification for DNS Doctor via a single signed TXT record.
|
✅ JSON Filename Check Passed |
|
✅ JSON Schema Validation Passed |
PR Description Check PassedAll required sections are filled in correctly. Details |
Linter OK
|
| Level | Code | Note |
|---|---|---|
| info | DCTL1021 | missing from iana definitions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds
dnsdoctor.dev.domainverify.json— a domain-ownership verification template forDNS Doctor (dnsdoctor.dev), an email & DNS health scanner with
optional monitoring. Before we start monitoring a domain we ask the owner to prove control
of it by publishing one TXT record; today that means copy-pasting the record into their DNS
host by hand, which is where a lot of people drop off. This template lets a supporting DNS
provider apply that record in one click instead.
It's a single TXT record — host
_dnsdoctor-challenge, valuednsdoctor-verify=%token%,where
%token%is the per-domain code we issue when the user adds a domain. Nothing aboutit is destructive: it's an inert proof record the user can delete once verification passes.
Requests are signed per the spec's digital-signature scheme:
syncPubKeyDomainis set todnsdoctor.dev, the RS256 public key is published as TXT at_dck1.dnsdoctor.dev(
p=1/p=2chunks, reassembling to the SPKI), and our service signs each apply URL'squery string (
sig+key=_dck1).providerIdisdnsdoctor.dev, a zone we operate —happy to complete any ownership check you need against it.
Type of change
How Has This Been Tested?
Please mark the following checks done
<providerId>.<serviceId>.json—dnsdoctor.dev.domainverify.jsonlogoUrlis actually served by a webserver — N/A:logoUrlis not set on this templateAlso validated against
template.schema(passes) and withdc-template-linter: no warnings or errors, only info-level notes —DCTL1021on the custom_dnsdoctor-challengelabel (expected for a verification host that isn't an IANA-registered underscore name), and under-cloudflare,DCTL5008noting Cloudflare ignorestxtConflictMatchingMode(informational; the field is kept for providers that do honor it).Checklist of common problems
syncPubKeyDomainis set —dnsdoctor.dev; public key TXT is live at_dck1.dnsdoctor.dev, every apply URL carriessig+key=_dck1warnPhishingis not set alongsidesyncPubKeyDomain— correct, onlysyncPubKeyDomainis setsyncRedirectDomainis set whenever the template usesredirect_uriin the synchronous flow — N/A: our flow does not sendredirect_uri, so it is intentionally omitted"v=spf1 ...") — correct, the only TXT carries adnsdoctor-verify=ownership token, never SPFtxtConflictMatchingModeis set on every TXT record that must be unique — set toPrefixwith prefixdnsdoctor-verify=, so re-verifying a domain replaces the prior token instead of stacking duplicate recordsdnsdoctor-verify=%token%; the variable is only the token, anchored by the fixeddnsdoctor-verify=prefix, so it can't be repurposed into an arbitrary recordhostlabel — the host is the fixed literal_dnsdoctor-challenge; no variable appears in ithostfield to create a subdomain — correct; the record targets a fixed host and relies on the standardhostparameter for subdomain placement%host%does not appear explicitly in anyhostattribute — confirmed cleanessentialis set toOnApplyon records the end user may need to modify or remove — N/A: the template is a single inert proof record; there is no secondary/removable record whose loss would leave the template half-appliedOnline Editor test results
Editor test link(s):
The apex test applies
_dnsdoctor-challenge.example.com. TXT "dnsdoctor-verify=<token>"; thesubdomain test (
host=shop) applies_dnsdoctor-challenge.shop.example.com. TXT "..."— therecord follows the
hostparameter as expected.