Hi HN,
This is a project [1] I've been working on for a little while and I'm interested in your feedback and point of view.
Many of us would have verified a domain name by pasting a string into a DNS TXT record. Some providers ask us to store this DNS TXT record at a domain using a DNS label like "_provider" e.g. _provider.yourdomain.com, and some providers ask that you do it at the zone apex (God help us [2]).
The Domain Verification protocol stores a DNS TXT record at a DNS name derived from a hashed "verifiable identifier" (think email, telephone, DID), enabling anyone that can prove control over the verifiable identifier to prove authority for the domain name.
For example, the domain verification record giving the email address user@example.com authority over the domain dvexample.com can be seen with this terminal command:
dig 4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg._dv.dvexample.com TXT
The record can specify what type of services the authorised party is allowed to use (e.g. SEO, Storage, Advertising) or specify an exact provider (ads.google.com), you can also specify an expiry date.
The benefits of this approach are:
- Domain owners can grant time-limited, granular permissions for third parties to verify a domain
- Every service provider could use the same verification record
- Once a domain owner creates a verification record by following instructions from one service provider, that same record could be used by other service providers
- Domain registrars could set these records up on behalf of users, perhaps even upon domain registration (with registrant opt-in). This would provide domain registrants with a fast lane for signing up to services like Google Ads, Facebook Ads, Dropbox, whatever
I'm still working on licensing but creating these records will always be free. I hope to find service providers that see significant upside in reducing friction for user onboarding that are willing to pay to license it.
Worked example:
Let's say you want to authenticate the user with the email user@example.com with the domain dvexample.com, these are the steps:
1. HASH(user@example.com) -> 4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg
2. Store Domain Verification record at:
4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg._dv.dvexample.com
3. TXT record determines permissions and time limit:
@dv=1;d=Example user emali;e=2025-01-01;s=[seo;email];h=4i7ozur385y5nsqoo0mg0mxv6t9333s2rarxrtvlpag1gsk8pg
BTW, if you're interested the syntax of that DNS record is a compact data serialisation format I created especially for DNS [3].
Thanks for taking a look,
Elliott
1. https://www.domainverification.org
2. dig target.com TXT
3. https://www.compactdata.org
(edit: formatting)
The beauty of verifying with a changing bit of information (which is basically what is happining now) is that you only prove ownership once and the proof can't be stolen by someone who doesn't own the domain but received your proof.
Maybe I didn't understand correctly how it works. But if I understand it correctly that is actually rather dangerous. Supplying the proof to an untrustworthy party should not allow them to re-use this proof for other services.