Domain Connect is a publicly available standard that enables DNS Providers to provide a mechanism for Service Providers to place DNS records on the domain, thus freeing the customer from having to manually set the records. There however exist some security and reliability challenges arising from the current Domain Connect specifications which Service Providers might want to protect themselves from. Specifically the _domainconnect TXT record, in theory, can be compromised to point to a server controlled by a bad actor; the protocol does not provide a facility to shut down DNS Providers known to have downtime or other issues; and the specification also doesn’t enforce URL fields from the settings call to be on the HTTPS scheme. This disclosure describes an allow-list mechanism that mitigates the above-described security and reliability challenges. A wildcard (or regular-expression) check is conducted on the initial server URL returned from following the _domainconnect TXT record for a given domain, e.g., to check the host name in the URL, etc. Subsequent wildcard checks also validate fields that are returned in response to the settings call.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Goel, Navneet and Gopalakrishnan, Aditya, "Improved Security and Reliability in the DNS Provider Discovery Mechanism of Domain Connect Protocol", Technical Disclosure Commons, (June 18, 2021)