Show HN: Make domain verification as easy as verifying an email or phone number https://ift.tt/e3lcAg8
Show HN: Make domain verification as easy as verifying an email or phone number Hi HN, This is a project [1] I've been working on for a little while and I'm interested in your feedback and point of view. Many of us would have verified a domain name by pasting a string into a DNS TXT record. Some providers ask us to store this DNS TXT record at a domain using a DNS label like "_provider" e.g. _provider.yourdomain.com, and some providers ask that you do it at the zone apex (God help us [2]). The Domain Verification protocol stores a DNS TXT record at a DNS name derived from a hashed "verifiable identifier" (think email, telephone, DID), enabling anyone that can prove control over the verifiable identifier to prove authority for the domain name. For example, the domain verification record giving the email address user@example.com authority over the domain dvexample.com can be seen with this terminal command: dig 4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg._dv.dvexample.com TXT The record can specify what type of services the authorised party is allowed to use (e.g. SEO, Storage, Advertising) or specify an exact provider (ads.google.com), you can also specify an expiry date. The benefits of this approach are: - Domain owners can grant time-limited, granular permissions for third parties to verify a domain - Every service provider could use the same verification record - Once a domain owner creates a verification record by following instructions from one service provider, that same record could be used by other service providers - Domain registrars could set these records up on behalf of users, perhaps even upon domain registration (with registrant opt-in). This would provide domain registrants with a fast lane for signing up to services like Google Ads, Facebook Ads, Dropbox, whatever I'm still working on licensing but creating these records will always be free. I hope to find service providers that see significant upside in reducing friction for user onboarding that are willing to pay to license it. Worked example: Let's say you want to authenticate the user with the email user@example.com with the domain dvexample.com, these are the steps: 1. HASH(user@example.com) -> 4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg 2. Store Domain Verification record at: 4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg._dv.dvexample.com 3. TXT record determines permissions and time limit: @dv=1;d=Example user emali;e=2025-01-01;s=[seo;email];h=4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg BTW, if you're interested the syntax of that DNS record is a compact data serialisation format I created especially for DNS [3]. Thanks for taking a look, Elliott 1. https://ift.tt/Sx8GVIC 2. dig target.com TXT 3. https://ift.tt/zm9eIt1 (edit: formatting) https://ift.tt/Sx8GVIC May 5, 2023 at 12:40PM
No comments