| Internet-Draft | Domain Connect | June 2026 |
| Kowalik, et al. | Expires 7 December 2026 | [Page] |
This document provides specification of the Domain Connect Protocol that was built to support DNS configuration provisioning between Service Providers (hosting, social, email, hardware, etc.) and DNS Providers.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Connecting a domain name to a service should be a simple and straightforward process. However, historically, users have faced a complex and often frustrating task involving manual DNS configuration. Traditional methods are unreliable, require deep technical knowledge of DNS, and result in outdated and confusing instructions from Service Providers. This leads to user frustration, support overhead, and abandoned setups.¶
To address these challenges, Domain Connect offers a streamlined and automated solution. It empowers Service Providers to easily enable their services to work with user domains, simplifying both DNS provider discovery and DNS configuration. By abstracting away the complexities of manual DNS management through user-friendly web interactions, standard authentication, and template-based configurations, Domain Connect significantly improves the user experience.¶
The following use cases illustrate the wide range of applications where Domain Connect simplifies and automates DNS configuration, from basic service onboarding to complex, dynamic DNS management scenarios.¶
"groupId") to apply parts of a template in separate interactions, each with explicit user consent.¶
While Domain Connect offers significant advantages in automating DNS configuration, it's important to recognize scenarios where it might not be the ideal solution:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The Terms like "Registrar", "Authoritative server", "Zone", "Zone Apex" or "Sub Domain" are used as defined in [RFC8499].¶
This specification uses the Augmented Backus-Naur Form (ABNF) notation of [RFC5234]. The following ABNF rules are imported from the normative references [RFC5234].¶
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
DIGIT = %x30-39 ; 0-9¶
The following definitions and rules are imported normatively from other documents.¶
"a-label":"u-label":"ldh-label":"domain-name":"state":"redirect_uri":"unicode-assignable":"JSON number":"srv-rdata":"service-name":"presentation format":The following additional syntax rules are defined in this document and used normatively throughout.¶
"dc-name-char":any Unicode Assignable code point allowed in "domain-name" except "%" and "@"¶
The following additional ABNF rules are defined in this document and used normatively throughout.¶
; ---- Identifier rules ----
dc-id = 1*63( ALPHA / DIGIT / "-" / "_" / "." )
; non-empty token, max 63 octets;
; used for providerId, serviceId, groupId,
; instanceId
dc-id-list = dc-id *( "," dc-id )
; comma-separated list of dc-id values;
; used for groupId parameter
dc-host-list = domain-name *( *SP "," *SP domain-name )
; comma-separated list of domain names
; ---- Other parameter rules ----
dc-sig = 1*( ALPHA / DIGIT / "+" / "/" / "=" )
; standard base64 alphabet per RFC 4648 Section 4
dc-underscore-label = "_" 1*( ALPHA / DIGIT / "-" )
; RFC 8552 underscore-prefixed DNS label,
; max 63 octets total
dc-key-label = a-label / dc-underscore-label
; plain ACE label or RFC 8552 underscore label;
; used for the key parameter
dc-pubkey-domain = *( dc-underscore-label "." ) domain-name
; zero or more underscore labels prepended
; to an IDNA domain name, per RFC 8552
; user for syncPubKeyDomain
dc-display-name = 1*255unicode-assignable
; non-empty string of at most 255 Unicode
; Assignable code points per RFC 9839 Section 4.3;
; used for providerName and serviceName
dc-description-text = 0*2048unicode-assignable
; a string of at most 2048 Unicode
; Assignable code points per RFC 9839 Section 4.3;
; used for description and variableDescription
dc-version = %x31-39 *DIGIT
; positive integer, no leading zeros,
; no fraction, no exponent;
; a strict subset of JSON number (RFC 8259
; Section 6); used for template version
; ---- Variable expression rules ----
variable-expression = named-variable / template-apex-var
; parameterized expression in a template field
named-variable = "%" variable-name "%"
; %-delimited named variable
template-apex-var = "@"
; zone-apex / fqdn shorthand; MUST appear alone
; in host/name or pointsTo/data fields
variable-name = 1*( ALPHA / DIGIT / "-" / "_" )
; identifier of a template variable
; ---- Template record field rules ----
dc-record-type = ( "A" / "AAAA" / "CNAME" / "MX" / "TXT"
/ "SRV" / "SPFM" / "NS" )
; named core and pseudo record types
/ "TYPE" 1*DIGIT
; unknown type per RFC 3597
/ 1*(ALPHA / DIGIT / "-")
; any other IANA-registered RR type name
dc-essential = "Always" / "OnApply"
; default is "Always"
dc-txt-conflict-mode = "None" / "All" / "Prefix"
; default is "None"
dc-conflict-prefix = 1*(%x21-7E)
; non-empty printable ASCII (U+0021..U+007E);
; no variable expressions permitted
; -- property value field --
dc-prop-value = *( dc-prop-char / dc-rdata-escape )
; DNS presentation format (RFC 9499);
dc-prop-char = %x20-7E
; space and all printable ASCII (U+0020..U+007E);
dc-rdata-escape = "\" ( 3DIGIT / %x21-7E )
; RFC 1035 Section 5.1 octet escape:
; "\DDD" three decimal digits, or
; "\" followed by any printable non-digit character
; -- host / name / pointsTo / target fields --
dc-host-tmpl = template-apex-var
; "@" alone
/ 1*( named-variable / dc-name-char )
; mix of literal chars and %-variables
dc-pointsto-tmpl = template-apex-var
; "@" alone
/ 1*( dc-name-char / named-variable )
; mix of literal chars and %-variables
dc-pointsto-nat-tmpl = 1*( dc-name-char / named-variable )
; mix of literal chars and %-variables
; -- integer fields with optional variable --
dc-ttl-tmpl = 1*DIGIT / named-variable
; constant seconds, or a sole %-variable
dc-ttl-value = 1*DIGIT
; non-negative integer seconds, resolved
dc-uint16-tmpl = ( %x30-39 *4DIGIT ) / named-variable
; 0-65535 literal, or a sole %-variable
dc-uint16-value = %x30-39 *4DIGIT
; resolved non-negative integer, max 5 digits,
; semantic range 0-65535
; -- SRV-specific string fields --
dc-srv-protocol = "_tcp" / "_udp" / "_sctp" / "_dccp"
; underscore-prefixed transport per RFC 2782
dc-srv-service = dc-underscore-label
; underscore-prefixed service name per RFC 6335¶
Internationalized domain names (IDN) are handled in accordance with [RFC5891]. Where a parameter description specifies "domain-name", both the ACE ("A-label") and the Unicode ("U-label") forms are accepted.¶
An entity that offers products and services that are configured or accessed using domain names. These services typically rely on DNS for setup, discovery and/or operation. Examples include web hosting, email services, cloud platforms, and other online applications.¶
An entity that offers DNS zone hosting services. DNS Providers are responsible for hosting the DNS zone for a domain name and providing the necessary tools to manage the DNS records. DNS Provider would be an Authoritative server operator for the hosted zones, or would have a contractual relationship with the operator to manage zone distribution over DNS.¶
Refers to the end-user who has means to control domain name's DNS configuration at DNS Provider and wishes to configure it to work with a service provided by a Service Provider.¶
A structured data format that describes a set of configurations for DNS records required by a Service Provider to configure a certain service together with metadata related to the control flow of Domain Connect protocol. A template is used as a means of communication between Service Provider and DNS Provider.¶
Certain labels, parameters, endpoints, and registry entries are present in this specification with Reserved status. These items appear in the original Domain Connect community specification [DC-SPEC] and are reserved here to ensure back-compatibility with that specification. Reserved items MUST NOT be redefined in any manner that is incompatible with their definition in [DC-SPEC]. They MAY be used or further defined only in specifications or drafts that extend this document, provided those specifications normatively require this document as their base and are compatible with [DC-SPEC].¶
Templates are core to Domain Connect, as they fully describe a service owned by a Service Provider and contain all of the information necessary to enable and operate/maintain the service in the form of a set of records.¶
The individual records in a template MAY be assigned to a group identified by a "groupId". This allows for the application of templates in different stages. For example, an email provider might first set a TXT record to verify the domain, and later set an MX record to configure email delivery. While done separately, both changes are fundamentally part of the same service.¶
Templates MAY also contain variable portions, as often values of data in DNS change based on the implementation and/or user of the service (e.g. the IP address of a service, a user id, etc.).¶
The template is defined by the Service Provider and manually onboarded with the DNS Provider. This is an out-of-band process between the Service Provider and the DNS Provider and not covered by this specification.¶
DNS Providers are trusted parties by virtue of their existing full access to the DNS zone. DNS Providers enforce user authorization checks before enacting any DNS zone changes, and present proposed changes to the user in a human-readable form.¶
Service Providers are not assumed to be trusted by default. A malicious actor may attempt to exploit user trust by impersonating a legitimate Service Provider. Trust between DNS Providers and Service Providers is therefore established out-of-band - typically through an onboarding process involving contractual agreements or template acceptance policies - during which the DNS Provider verifies the legitimacy of the Service Provider and its templates.¶
Templates define and restrict the permitted scope of DNS modifications. By fixing the records that a Service Provider may affect, templates ensure that no changes beyond the approved scope can be applied.¶
To attach a domain name to a service provided by a Service Provider, the user would first enter their domain name.¶
Instead of relying on examination of the nameservers and mapping these to DNS Providers, DNS Provider discovery is handled through simple records in DNS and an API. The Service Provider queries for a specific record in the zone that returns a REST endpoint to initiate the protocol. When this endpoint is called, a Domain Connect compliant DNS Provider returns information about that domain and how to configure it using Domain Connect.¶
To apply the changes to DNS, this document defines a synchronous web flow. The DNS Provider presents a consent UX to the user and applies the template within the same interaction session.¶
[DC-SPEC] also defines an asynchronous flow based on OAuth. Other flows may be defined in the future. Therefore, although it is RECOMMENDED to cover the synchronous flow, implementers MAY decide not to do so and only implement other flows not defined in this document. The signaling offered by DNS Provider discovery allows for that.¶
This flow is tailored for the Service Provider that requires a user-attended, one-time change to DNS configuration. In this flow, the user is present throughout: they authenticate with the DNS Provider and explicitly consent to the changes within a single interaction session.¶
The term "synchronous" refers to this user-interaction model - not to immediate DNS propagation. The DNS Provider commits to applying the template upon user consent, but the changes MAY be queued internally and propagation to authoritative servers MAY take additional time. Service Providers MUST NOT assume that DNS records are resolvable immediately after the flow completes; see Section 8.4.¶
,-.
`-'
/|\
| ,----------------. ,------------. ,----------.
/ \ |Service Provider| |DNS Provider| |DNS Server|
User `--------+-------' `------+-----' `-----+----'
1 Provides domain name | |
|------------->| | |
| | | |
| | 2 Initiates DNS discovery |
| |---------------------------------------->|
| | | |
| | 3 Responds with |
| | discovery URL fragment |
| |<----------------------------------------|
| | | |
| 4 Requests DNS Provider settings |
| |----------------->| |
| | | |
| 5 Provides settings| |
| |<-----------------| |
| | | |
| 6 Queries for supported template |
| |----------------->| |
| | | |
| 7 Responds template| |
| support status | |
| |<-----------------| |
| | | |
8 Presents connection link | |
|<-------------| | |
| | | |
| 9 Navigates to DNS Provider | |
|-------------------------------->| |
| | | |
| | | |
_________________________________________________________|
! ALT / if the template requires signing !
!_____/ | | !
! 10 Lookup URL | !
! signature keys (DNS) !
! |<-----------------| !
! | | !
! | |----. !
! | | | 11 Check !
! | |<---' request URL !
! | | signature !
! | | !
!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~!
| | | |
| 12 Requests authentication | |
|<--------------------------------| |
| | | |
| 13 Authenticate | |
|-------------------------------->| |
| | | |
| | |----. |
| | | | 14 Check domain |
| | |<---' ame in |
| | | customer's |
| | | account |
| | | |
| | | |
15 Requests consent for DNS changes |
|<--------------------------------| |
| | | |
| 16 Confirms consent | |
|-------------------------------->| |
| | | |
| | 17 Apply changes to DNS|
| | |--------------------->|
| | | |
| 18 Redirect/ Close window |
| |<- - - - - - - - -| |
| | | |
| | 19 Query DNS records |
| |---------------------------------------->|
| | | |
| | 20 New DNS records |
| |<----------------------------------------|
| | | |
21 Report success | |
|<-------------| | |
Steps:¶
A template is defined as a standard JSON data structure containing the following data. Field values MUST be defined unless otherwise indicated.¶
| Data Element | Type | Key | Description |
|---|---|---|---|
| Service Provider Id | String | providerId | (REQUIRED) The unique identifier of the Service Provider that created this template. This is used in the URLs to identify the Service Provider. The value MUST conform to the dc-id syntax (see Section 3).To ensure non-coordinated uniqueness, this SHOULD be the domain name of the Service Provider (e.g. exampleservice.example). |
| Service Provider Name | String | providerName | (REQUIRED) The name of the Service Provider, suitable for display to the user. The value MUST conform to the dc-display-name syntax (see Section 3). |
| Service Id | String | serviceId | (REQUIRED) The name or identifier of the template. This is used in URLs to identify the template. The value MUST conform to the dc-id syntax (see Section 3). |
| Service Name | String | serviceName | (REQUIRED) The name of the service, suitable for display to the user. The value MUST conform to the dc-display-name syntax (see Section 3). |
| Version | Integer | version | (OPTIONAL) If present this represents a version of the template and SHOULD be changed with each update of the template content. This opaque value is mainly informational to improve communication and transparency between providers. The value MUST conform to the dc-version syntax (see Section 3).This is a strict subset of the "JSON number": a positive integer with no leading zeros, no fractional part, and no exponent part. |
| Logo | String | logoUrl | (OPTIONAL) A graphical logo representing the Service Provider and/or Service for use in any web-based flow. If present this MAY be displayed to the user on the DNS Provider consent UX. When present, the value MUST be a valid URI [RFC3986] with scheme "https". |
| Description | String | description | (OPTIONAL) A textual description of what this template does, intended for developer reference. This value is not intended for display to the end user. The value MUST conform to the dc-description-text syntax (see Section 3). |
| Variable Description | String | variableDescription | (OPTIONAL) A textual description of the template variables, intended for developer reference. This value is not intended for display to the end user. The value MUST conform to the dc-description-text syntax (see Section 3). |
| Synchronous Block | Boolean | syncBlock | (OPTIONAL) When "true", indicates that this template does not support the synchronous flow. The DNS Provider MUST refuse a synchronous apply request for this template and MUST return an appropriate error to the user.The default is "false". |
| Shared | Boolean | shared | (OPTIONAL) This flag has been deprecated. It used to indicate that the template allowed a dynamic "providerName" on the query string. It is replaced with the "sharedProviderName" flag in v2.2 of the spec. |
| Shared Provider Name | Boolean | sharedProviderName | (OPTIONAL) When "true", indicates that the caller MAY supply an additional "providerName" parameter at apply time.The default is "false".For backward compatibility with DNS Providers prior to v2.2, it is RECOMMENDED that the deprecated "shared" flag also be set. |
| Shared Service Name | Boolean | sharedServiceName | (OPTIONAL) When "true", indicates that the caller MAY supply an additional "serviceName" parameter at apply time.The default is "false". |
| Synchronous Public Key Domain | String | syncPubKeyDomain | (OPTIONAL) The domain name under which the Service Provider's public signing key TXT record is published. When present, this field signals that digital signing is required for synchronous apply requests. The value MUST conform to the dc-pubkey-domain syntax (see Section 3). |
| Synchronous Redirect Domains | String | syncRedirectDomain | (OPTIONAL) A comma-separated list of domain names to which the DNS Provider is permitted to send the post-apply redirect in the synchronous flow. The value MUST conform to the "dc-host-list" syntax (see Section 3). |
| Multiple Instance | Boolean | multiInstance | (OPTIONAL) When "true", indicates that the template is designed to be applied multiple times to the same domain and host.The default is "false". |
| Warn Phishing | Boolean | warnPhishing | (OPTIONAL) When "true", signals that the template contains variables that cannot be constrained by digital signing and may be susceptible to phishing.The default is "false". |
| Host Required | Boolean | hostRequired | (OPTIONAL) When "true", indicates that the template is designed to work only when both "domain" and "host" apply parameters are provided, for example when the template contains a CNAME record targeted at the fully qualified domain name.The default is "false". |
| Template Records | Array of Template Records | records | (REQUIRED) A list of records for the template. |
Each template record is an entry that contains a type and several other values depending on the type.¶
Many of these values can contain variables, which are expressed as strings surrounded with "%" or special variable "@" (See: Section 9.1). Variables are replaced with values when the template is applied.¶
Each record MUST contain the following elements unless otherwise specified.¶
| Data Element | Type | Key | Description |
|---|---|---|---|
| Type | enum | type | (REQUIRED) Describes the type of record in DNS, or the operation impacting DNS. Valid values include: A, AAAA, CNAME, MX, TXT, SRV, or SPFM. The DNS Provider MUST support the core set of records A, AAAA, CNAME, MX, TXT, SRV. The DNS Provider SHOULD support SPFM record for high interoperability with existing templates All other record types MAY be specified by type name as listed in IANA registry for DNS Resource Record (RR) TYPEs. Unknown record types MAY be specified as per [RFC3597] by the word "TYPE" immediately followed by the decimal RR type number, with no intervening whitespace. Support for other record types is OPTIONAL. The value MUST conform to the dc-record-type syntax (see Section 3). |
| Group ID | String | groupId | (OPTIONAL) This parameter identifies the group the record belongs to when applying changes. The value MUST conform to the dc-id syntax (see Section 3) and MUST NOT contain variable expressions. |
| Essential | enum | essential | (OPTIONAL) This parameter indicates how the record is treated during conflict detection with existing templates. If the DNS Provider is not implementing applied template state in DNS this is ignored. Always (default) - record MUST be applied and kept with the template OnApply - record MUST be applied but can be later removed without dropping the whole template The value MUST conform to the dc-essential syntax (see Section 3).If omitted, the value MUST be assumed to be "Always". |
| Host | String | host | (REQUIRED) The host for A, AAAA, CNAME, NS, TXT, MX and other unspecified record type values. This value is relative to the applied host and domain, unless trailed by a ".". A value of empty or "@" indicates the root of the applied host and domain. In other words "[host.]example.com.".When used in a template definition, the value MUST conform to the dc-host-tmpl syntax (see Section 3).After variable substitution, the resolved value MUST conform to the domain-name syntax (see Section 3). |
| Name | String | name | The name for the SRV record. This value is relative to the applied host and domain. A value of empty or "@" indicates the root of the applied host and domain.When used in a template definition, the value MUST conform to the dc-host-tmpl syntax (see Section 3).After variable substitution, the resolved value MUST conform to the domain-name syntax (see Section 3). |
| Points To | String | pointsTo | The pointsTo location for A, AAAA, CNAME, NS and MX records. When used in a template definition, the value MUST conform to the "dc-pointsto-tmpl" syntax for "CNAME"/"MX" and to the "dc-pointsto-nat-tmpl" syntax for A/AAAA/NS (see Section 3).After variable substitution, the resolved value MUST conform to the presentation format of the corresponding resource record type. |
| TTL | Int or string repr. of Int | ttl | The time-to-live for the record in DNS. Valid for A, AAAA, CNAME, NS, TXT, MX, and SRV records. This SHOULD NOT contain variables unless absolutely necessary. When used in a template definition, the value MUST conform to the dc-ttl-tmpl syntax (see Section 3).After variable substitution, the resolved value MUST conform to the dc-ttl-value syntax. This value, no matter if variable or constant, is understood as "best effort" by DNS Provider and MAY be limited or adjusted by local policy at runtime or during template onboarding, like applying a certain minimum or maximum value of TTL or an enumeration of TTL values supported by the DNS Provider. The DNS Provider SHOULD NOT reject template application because of invalid value, rather pick the nearest supported value or a default, in order to avoid necessity of per provider adjustment to the application flow. Support of variables in this field is OPTIONAL for DNS Provider. |
| Data | String | data | For TXT record "data" contains TXT-DATA [RFC1035] in presentation format. For a single "<character-string>" the heading and trailing " character MAY be omitted even if space character is present in the value. "data" MUST NOT be present in a template record for any other record type that has type-specific data fields defined in this specification. For any unspecified record type, this field contains the canonical presentation format of the record, following [RFC3597] generic or type-specific encoding. |
| TXT Conflict Matching Mode | String | txtConflictMatchingMode | Describes how conflicts on the TXT record are detected. Possible values are None, All, or Prefix. See below (Section 10.4). The value MUST conform to the dc-txt-conflict-mode syntax (see Section 3).If omitted, the value MUST be assumed to be "None". |
| TXT Conflict Matching Prefix | String | txtConflictMatchingPrefix | The prefix to detect conflicts when txtConflict-MatchingMode is "Prefix". See below (Section 10.4).The value MUST conform to the dc-conflict-prefix syntax (see Section 3). |
| Priority | Int or string repr. of Int | priority | The priority for an MX or SRV record. When used in a template definition, the value MUST conform to the dc-uint16-tmpl syntax (see Section 3).After variable substitution, the resolved value MUST conform to the dc-uint16-value syntax.Support of variables in this field is OPTIONAL for DNS Provider. |
| Weight | Int or string repr. of Int | weight | The weight for the SRV record. When used in a template definition, the value MUST conform to the dc-uint16-tmpl syntax (see Section 3).After variable substitution, the resolved value MUST conform to the dc-uint16-value syntax.Support of variables in this field is OPTIONAL for DNS Provider. |
| Port | Int or string repr. of Int | port | The port for the SRV record. When used in a template definition, the value MUST conform to the dc-uint16-tmpl syntax (see Section 3).After variable substitution, the resolved value MUST conform to the dc-uint16-value syntax.The resolved value is further constrained to the range 0-65535 as defined by [RFC6335]. Support of variables in this field is OPTIONAL for DNS Provider. |
| Protocol | String | protocol | The protocol for the SRV record. The value MUST conform to the dc-srv-protocol syntax (see Section 3). |
| Service | String | service | The symbolic service name for the SRV record. The value MUST conform to the dc-srv-service syntax (see Section 3). |
| Target | String | target | The target hostname for the SRV record as defined in Section 3.1 of [RFC2782]. When used in a template definition, the value MUST conform to the dc-pointsto-tmpl syntax (see Section 3), or be the single label "." to indicate that the service is not available.After variable substitution, the resolved value MUST conform to the domain-name syntax (see Section 3), or be ".". |
| SPF Rules | String | spfRules | These are desired rules for the SPF TXT record. These rules SHOULD be merged with other SPFM records into final SPF TXT record. See Section 9.4. The value MUST contain only mechanism and modifier terms as defined in [RFC7208] Section 5, excluding the version prefix ("v=spf1") and the terminating "all" qualifier. The DNS Provider MUST validate the syntax before merging. |
The following table lists the fields that MAY be defined for each record type. Other fields MUST NOT be used.¶
| Type | Required fields |
|---|---|
"A"
|
"host", "pointsTo", "ttl"
|
"AAAA"
|
"host", "pointsTo", "ttl"
|
"CNAME"
|
"host", "pointsTo", "ttl" ("host" MUST NOT be "@" or empty unless "hostRequired" is "true" in the template) |
"NS"
|
"host", "pointsTo", "ttl"
|
"TXT"
|
"host", "data", "ttl", "txtConflictMatchingMode", "txtConflictMatchingPrefix"
|
"MX"
|
"host", "pointsTo", "ttl", "priority"
|
"SRV"
|
"name", "target", "ttl", "priority", "protocol", "service", "weight", "port"
|
"SPFM"
|
"host", "spfRules"
|
| other types |
"host", "data", "ttl"
|
Templates MUST be considered as scoped to the "domain" and "host" apply parameter pair. The "host" value is specified in the apply URL.¶
The template's "host" or "name" field values are interpreted relative to this scope, as described in Section 9.3.¶
The recommended way to configure records on a Sub Domain is to use the "host" apply parameter rather than embedding sub-domain labels in template "host" field values as variables. This keeps the template scope unambiguous and enables correct conflict detection and template state tracking. Template "host" field values containing variables that resolve to sub-domain labels cause the template scope to be indeterminate at consent time, which prevents accurate conflict detection.¶
To add a record at the Zone Apex even when a Sub Domain is specified in the apply request, the template "host" field value "%domain%." MAY be used, which resolves to the absolute Zone Apex name regardless of the "host" parameter.¶
When a template is not applicable at the Zone Apex - for example because it contains a CNAME record or any other record type that is incompatible with Apex placement - the "hostRequired" flag SHOULD be set to "true" in the template definition (see hostRequired (Section 6.1)).¶
It is noted that as a best practice the variable portions SHOULD be constrained to as small as possible a portion of the resulting DNS record.¶
For example, say a Service Provider requires a CNAME of one of three values for their users: "s01.example.com", "s02.example.com", and "s03.example.com".¶
The value in the template could simply contain "%servercluster%", and the fully qualified string passed in. Alternatively, the value in the template could contain "%var%.example.com" and a value of "01", "02", or "03" passed in. By placing more fixed data into the template, the template is less prone to error or misuse and allows better review of intent by the DNS Provider when onboarding the template.¶
The Service Provider MUST publish their public signing key in one or more DNS TXT records at the host formed by prepending the "key" apply parameter value as a label to the "syncPubKeyDomain" template field value.¶
Each TXT record MUST conform to the following grammar:¶
dc-pubkey-record = dc-pubkey-kv *( "," dc-pubkey-kv )
dc-pubkey-kv = ( "p" "=" dc-frag-index )
/ ( "d" "=" dc-frag-data )
/ ( "a" "=" dc-alg-id )
/ ( "t" "=" dc-key-type )
dc-frag-index = 1*DIGIT
; positive decimal integer;
; used for p=
dc-frag-data = 1*( ALPHA / DIGIT / "+" / "/" / "=" )
; standard base64 per RFC 4648;
; used for d=
dc-alg-id = 1*( ALPHA / DIGIT / "-" )
; JWS algorithm identifier per RFC 7518;
; used for a=
dc-key-type = 1*( ALPHA / DIGIT / "-" )
; public key format identifier;
; used for t=¶
| Property | Key | Description |
|---|---|---|
| Fragment Index | p | (REQUIRED) The sequence number of this key fragment. The value MUST conform to the dc-frag-index rule above: a positive decimal integer.Fragments MUST be reassembled in ascending numeric order of "p". |
| Fragment Payload | d | (REQUIRED) A Fragment of base64-encoded key material. The value MUST conform to the dc-frag-data rule above: standard base64 encoding per [RFC4648]. |
| Signing Algorithm | a | (OPTIONAL) The JWS algorithm identifier for the signing algorithm. The value MUST conform to the dc-alg-id rule above and MUST be registered in the IANA "JSON Web Signature and Encryption Algorithms" registry established by [RFC7518].If omitted, MUST be assumed to be "RS256".Support for "RS256" is MANDATORY for both DNS Providers and Service Providers. |
| Public Key Format | t | (OPTIONAL) The format of the public key. The value MUST conform to the dc-key-type rule above.If omitted, MUST be assumed to be "x509". |
To allow for key rotation or use of multiple keys, the Service Provider MAY publish key records at multiple hosts within "syncPubKeyDomain". The "key" apply parameter identifies which host to query for each request and MUST be included in the signed apply request.¶
To account for DNS record size limits, a public key MAY be split across multiple TXT records at the same host. All fragments MUST be reassembled in ascending numeric order of "p" before use. The values "a" and '"d"' MUST be equal for all such TXT records on the same host.¶
Given the public key (line breaks for brevity):¶
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN4BHkkv0SBjAzIc 4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzLIZLNyMfI6qiXnM +HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfyR/XSEWC5u16EBNvRn NAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1dbdRy2opRPQ2FdZpovUgknybq/6FkeD tW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX 2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8weDjXrJwIDAQAB¶
Published at "_dcpubkeyv1.<syncPubKeyDomain>" as (line breaks for brevity):¶
EXAMPLE: Example: public key published as DNS TXT records¶
p=1,a=RS256,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN 4BHkkv0SBjAzIc4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzL IZLNyMfI6qiXnM+HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfy p=2,a=RS256,d=R/XSEWC5u16EBNvRnNAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1 dbdRy2opRPQ2FdZpovUgknybq/6FkeDtW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+ qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8 p=3,a=RS256,d=weDjXrJwIDAQAB¶
To facilitate discovery of the DNS Provider from a domain name DNS is utilized. This is done by returning a TXT record for "_domainconnect" in the zone.¶
The record content represents an authority and path part of the settings REST API URL.¶
EXAMPLE 1: An example of the contents of this record:¶
domainconnect.virtucondomains.example¶
"_domainconnect" TXT record content, when prepended with https:// schema and appended with /v2 path segment, MUST form a valid URL [RFC3986]. "_domainconnect" TXT record MUST contain the authority part of the URL and MAY contain a path part. "_domainconnect" MUST not contain schema, query or fragment part of an URL.¶
As a practical matter of implementation, the DNS Provider may or may not contain a copy of this data in each and every zone. Instead, the DNS Provider MUST simply respond to the DNS query for the "_domainconnect" TXT record with the appropriate data.¶
How this is implemented is up to the DNS Provider.¶
For example, the DNS Provider may not store the data inside a TXT record for the domain, opting instead to put a CNAME in the zone and have the TXT record in the target of the CNAME. Another DNS Provider may simply respond with the appropriate records at the DNS layer without having the data in each zone.¶
The URL prefix returned MUST be subsequently used by the Service Provider to determine the additional settings for using Domain Connect on this domain at the DNS Provider. This is done by calling a REST API.¶
GET
https://{+_domainconnect}/v2/{domain}/settings¶
"_domainconnect" parameter is the URL prefix returned in the "_domainconnect" TXT record.¶
This MUST return a JSON structure containing the settings to use for Domain Connect on the domain name (passed in on the path) at the DNS Provider. This JSON structure MUST contain the following fields unless otherwise specified.¶
| Field | Key | Type | Description |
|---|---|---|---|
| Provider Id | providerId | String | (REQUIRED) Unique identifier for the DNS Provider. The value MUST conform to the dc-id syntax (see Section 3).To allow for non-coordinated uniqueness, this SHOULD be the domain name of the DNS Provider (e.g. virtucom.example). |
| Provider Name | providerName | String | (REQUIRED) The name of the DNS Provider. The value MUST conform to the dc-display-name syntax (see Section 3). |
| Provider Display Name | providerDisplayName | String | (OPTIONAL) The name of the DNS Provider that SHOULD be displayed by the Service Provider. This MAY change per domain for some DNS Providers that power multiple brands. When present, the value MUST conform to the dc-display-name syntax (see Section 3). |
| UX URL Prefix for Synchronous Flows | urlSyncUX | String | (OPTIONAL) The URL Prefix for linking to the UX of Domain Connect for the synchronous flow at the DNS Provider. If not returned, the DNS Provider is not supporting the synchronous flow on this domain. This MUST be a valid URI [RFC3986] with scheme "https", MUST include an authority component, and MUST NOT contain a query component or fragment component.The URI MAY include a path component. |
| UX URL Prefix for Asynchronous Flows | urlAsyncUX | String | (Reserved. See Section 3, Paragraph 13.) |
| API URL Prefix | urlAPI | String | (REQUIRED) The URL Prefix for the REST API. This MUST be a valid URI [RFC3986] with scheme "https", MUST include an authority component, and MUST NOT contain a query component or fragment component.The URI MAY include a path component. |
| Width of Window | width | Number | (OPTIONAL) The desired width in pixels of the pop-up window used for granting consent. If not present, the default MUST be assumed to be 750. |
| Height of Window | height | Number | (OPTIONAL) The desired height in pixels of the pop-up window used for granting consent. If not present, the default MUST be assumed to be 750. |
| UX URL Control Panel | urlControlPanel | String | (OPTIONAL) A URL to the DNS Provider's control panel for manual DNS editing. This field allows a Service Provider whose template is not supported at the DNS Provider to provide a direct link to perform manual edits. The value MAY contain the literal token "%domain%" as a placeholder for the domain name, to allow deep-linking to a specific domain.The value, after any substitution of the "%domain%" token, MUST be a valid URI per [RFC3986] with scheme "https". |
| Name Servers | nameServers | List of String | (OPTIONAL) The list of nameserver hostnames for the zone held by this DNS Provider (typically derived from the zone's NS records). Each entry MUST conform to the "domain-name" syntax (see Section 3). |
Clients MUST ignore any JSON properties in the settings response that are not defined in this specification or not recognized from an applicable extension. DNS Providers MAY include additional JSON properties in the settings response beyond those defined in this specification, however it is RECOMMENDED that those properties are registered in the "Domain Connect Settings Properties" registry defined in Section 12.2 in order to avoid name conflicts.¶
EXAMPLE 2: Example Settings End-Point response¶
{
"providerId": "virtucondomains.example",
"providerName": "Virtucon Domains",
"providerDisplayName": "Virtucon Domains",
"urlSyncUX": "https://domainconnect.virtucondomains.example",
"urlAsyncUX": "https://domainconnect.virtucondomains.example",
"urlAPI": "https://api.domainconnect.virtucondomains.example",
"width": 750,
"height": 750,
"urlControlPanel": "https://domaincontrolpanel.virtucondomains.ex
ample/?domain=%domain%",
"nameServers": ["ns01.virtucondomainsdns.example", "ns02.virtucon
domainsdns.example"]
}¶
When constructing a deep link using "urlControlPanel", the Service Provider MUST replace any occurrence of the literal token "%domain%" with the percent-encoded ACE-form domain name per [RFC3986]. The "%domain%" token MUST be the only substitution token used.¶
The Service Provider MAY compare the "nameServers" list against the authoritative nameservers obtained from the DNS registry or an authoritative NS query, to verify that the correct DNS Provider has been reached. A mismatch may indicate a stale or incorrect "_domainconnect" TXT record, or a deliberate administrative change such as pre-provisioning with a new DNS provider.¶
Discovery MUST work on the Zone Apex only. Bear in mind that zones can be delegated to other users, making this information valuable to Service Providers since DNS changes may be different for a Zone Apex vs. a Sub Domain for an individual service.¶
The Service Provider MUST handle the condition when a query for the "_domainconnect" TXT record succeeds, but a call to query for the JSON fails. This can happen if the zone is hosted with another DNS Provider, but contains an incorrect "_domainconnect" TXT record.¶
The DNS Provider MUST return a 404 HTTP error code if they do not contain the zone.¶
| Status | Response | Description |
|---|---|---|
| Success | 2xx | A response of an http status code of 2xx indicates that the call was successful. The response is the JSON described above. |
| Not Found | 404 | A response of a 404 indicates that the DNS Provider does not have the zone. |
The Domain Connect endpoints returned in the JSON during discovery are in the form of URLs.¶
The first set of endpoints are for the UX that the Service Provider links to. These are for the synchronous flow where the user can click to grant consent and have changes applied.¶
The second set of endpoints are for the REST API.¶
All endpoints begin with a root URL for the DNS Provider such as:¶
https://connect.dnsprovider.example¶
They MAY also include any path segment at the discretion of the DNS Provider. For example:¶
https://connect.dnsprovider.example/api¶
The root URLs for the UX endpoints and the API endpoints are returned in the JSON payload during DNS Provider discovery.¶
GET
{+urlAPI}/v2/domainTemplates/providers/{providerId}/services
/{serviceId}¶
This URL is be used by the Service Provider to determine if the DNS Provider supports a specific template.¶
The following table describes the parameters of the URI template:¶
| Property | Key | Description |
|---|---|---|
| URL API | urlAPI | (REQUIRED) The base URL of the DNS Provider API, taken from the "urlAPI" field of the settings endpoint response (see Section 7).This MUST be a valid URI [RFC3986] with scheme "https"
|
| Service Provider Id | providerId | (REQUIRED) Identifier of the Service Provider of the template. The value MUST conform to the dc-id syntax (see Section 3). |
| Service Id | serviceId | (REQUIRED) Identifier of the template within the Service Provider's namespace. The value MUST conform to the dc-id syntax (see Section 3). |
Returning a status of 200 without a body indicates the template is supported. The DNS Provider MAY disclose the version of the template in a JSON object with field "version" (see: version field (Section 6.1) or the full JSON object of deployed template.¶
Returning a status of 404 indicates the template is not supported.¶
| Status | Response | Description |
|---|---|---|
| Success | 2xx | A response of an http status code of 2xx indicates that the call was successful. The response OPTIONALLY contains the version or template. |
| Not Found | 404 | A response of a 404 indicates that the template is not supported |
GET
{+urlSyncUX}/v2/domainTemplates/providers/{providerId}/services
/{serviceId}/apply{?domain,host,groupId,providerName,
serviceName,instanceId,redirect_uri,properties*}{&sig,key}¶
This is the URL, where the user agent is directed to apply a template to a dns zone the user controls. It is redirected to or linked from the Service Provider to start the synchronous Domain Connect Protocol.¶
For "properties" name/value pairs, parameter names and values MUST be URL-decoded (percent-decoded per [RFC3986]) before processing.¶
| Property | Request Parameter | Description |
|---|---|---|
| URL Sync UX | urlSyncUX | (REQUIRED) The base URL of the DNS Provider synchronous UX endpoint, taken from the "urlSyncUX" field of the settings endpoint response (see Section 7).This MUST be a valid URI [RFC3986] with scheme "https"
|
| Service Provider Id | providerId | (REQUIRED) Identifier of the Service Provider of the template to be applied. The value MUST conform to the dc-id syntax (see Section 3). |
| Service Id | serviceId | (REQUIRED) Identifier of the template to be applied. The value MUST conform to the dc-id syntax (see Section 3). |
| Domain | domain | (REQUIRED) The domain name being configured. This is the Zone Apex (the registered domain or delegated zone). The value MUST conform to the domain-name syntax (see Section 3). |
| Host | host | (OPTIONAL) The host name of the Sub Domain within the zone identified by "domain".When present, the value MUST be a single name conforming to domain-name (see Section 3) or an empty string. |
| Redirect URI | redirect_uri | (OPTIONAL) The location to direct the user agent to upon successful authorization or upon error. The value MUST be an absolute URI conforming to [RFC3986]. |
| State | state | (OPTIONAL) A random and unique string passed along to prevent CSRF, or to pass back state. The value MUST conform to the "state" syntax (see Section 3). |
| Name/Value Pairs | properties | (REQUIRED) Variable values to be substituted into the template. Each parameter name MUST correspond to a variable name defined in the template and MUST conform to the variable-name syntax (see Section 3).Each parameter value MUST conform to the dc-prop-value syntax (see Section 3), using the DNS presentation format [RFC9499].The parameter value corresponds to the value that will be used when applying the template. |
| Provider Name | providerName | (OPTIONAL) Additional display text for the template "providerName", provided by the caller. If "sharedProviderName" is not set in the template, this parameter MUST NOT be set. Note: this used to be controlled by the "shared" attribute in the template, which has been deprecated.The value MUST conform to the dc-display-name syntax (see Section 3). |
| Service Name | serviceName | (OPTIONAL) Additional display text for the template "serviceName", provided by the caller. If "sharedServiceName" is not set in the template, this parameter MUST NOT be set.The value MUST conform to the dc-display-name syntax (see Section 3). |
| Group ID | groupId | (OPTIONAL) Specifies the subset of groups from the template to apply. The value MUST conform to the dc-id-list syntax (see Section 3). |
| Signature | sig | (OPTIONAL) A digital signature of the canonical query string. The value MUST conform to the dc-sig syntax (see Section 3):a standard base64-encoded [RFC4648] signature, URL-encoded when carried in the query string. See the Section 8.3.2.1 below for the signing procedure. |
| Key | key | (OPTIONAL) The DNS host label within the syncPubKeyDomain at which the public key TXT record is published.The value MUST conform to the dc-key-label syntax (see Section 3): a single DNS label, either a plain ACE-form label or an RFC 8552 underscore-prefixed label.See the Section 8.3.2.1 below. |
An example query string:¶
GET https://web-connect.dnsprovider.example/v2/domainTemplates/providers/ exampleservice.example/services/template1/apply?domain=example.com& IP=192.168.42.42&RANDOMTEXT=shm%3A1542108821%3AHello¶
This call indicates that the Service Provider wishes to connect the domain example.com to the service using the template identified by the composite key of the provider (exampleservice.example) and the service template owned by them (template1). In this example, there are two variables in this template, "IP" and "RANDOMTEXT". These variables are passed as name/value pairs.¶
Signing the query string is OPTIONAL for templates that do not specify "syncPubKeyDomain". When "syncPubKeyDomain" is present in the template, the Service Provider MUST sign the request and the DNS Provider MUST reject any unsigned apply request (see Section 8.3.4).¶
The Service Provider MUST generate the digital signature as follows:¶
Construct the canonical input string:¶
"key" parameter within "syncPubKeyDomain" (see Section 6.4), using the algorithm identified by the "a" field of the key record (default: "RS256"). The "RS256" identifier denotes RSASSA-PKCS1-v1_5 using SHA-256, as defined in [RFC7518] Section 3.3.¶
dc-sig rule).¶
"sig" value and the "key" identifier to the canonical input string to form a signed query string.¶
The signed query string MUST be used as-is as the query string of the request URL, without re-encoding, adding or re-ordering of query parameters.¶
EXAMPLE: Example: signed query string parameters¶
Example canonical input:¶
a=1&b=2&domain=example.net&ip=10.10.10.10&text=a%2Bb¶
Example signature:¶
sig=V2te9zWMU7G3plxBTsmYSJTvn2vzMvNwAjWQ%2BwTe91DxuJhdVf4cVc4vZBYfEYV 7u5d7PzTO7se7OrkhyiB7TpoJJW1yB5qHR7HKM5SZldUsdtg5%2B1SzEtIX0Uq8b2mCmQ F%2FuJGXpqCyFrEajvpTM7fFKPk1kuctmtkjV7%2BATcvNPLWY7KyE4%2Bqc8jpfN61cP 5l8iA4krAa3%2BfTro5cmWR8YUJ5yrnRs6KT4b5D71HFvOUk0sGEUddUUlsyRQKRHUFN6 HjEya50YDHfZJlYHkHlK0xX6Yqeii9QZ2I35U9eJbSvZGQko5beqviWFXdsVDbvd3DYcb SHgJq9%2FXoMTTw%3D%3D&key=_dcpubkeyv1¶
The Service Provider initiates the synchronous flow by directing the user agent to the Apply Template URL (see Section 8.3.1), constructed as specified in Section 8.3.2.¶
The DNS Provider validates the request to ensure that all required parameters are present and valid. This includes also verification of request signature (see Section 8.3.4 below).¶
If the request is valid, the DNS Provider authenticates the user, validates user's authorization to modify the DNS zone, obtains authorization to apply the template to the DNS and finally applies the changes. This process is described in Section 10.¶
Upon receiving a Template Apply Request for a template whose "syncPubKeyDomain" is set, the DNS Provider MUST perform the following steps and MUST reject the request if any step fails:¶
"sig" and "key" parameters.¶
"key" parameter value as a label to "syncPubKeyDomain" (see Section 6.4). If no such records are found, the processing fails.¶
"dc-pubkey-record", and concatenate the "d" values in ascending order of "p" to obtain the complete encoded public key.¶
"a" and "t" fields. If absent, assume "RS256" and "x509" respectively.¶
"t".¶
"sig" and "key" key/value pairs from the received query string without reordering or re-encoding the remaining of the query string. If the canonical string needs to be reconstructed from individual parameters (what is not RECOMMENDED), the same construction steps as the signing procedure MUST be followed (see Section 8.3.2.1).¶
"sig" parameter value, and verify the signature against the input string using the retrieved public key and identified algorithm.¶
After successful processing of Template Apply Request the DNS Provider MUST terminate the user flow according to one of the following cases:¶
If "redirect_uri" was present in the request and the template's "syncRedirectDomain" field is set, the DNS Provider MUST redirect the user agent to the "redirect_uri".
¶
The following parameters MUST be appended to the "redirect_uri":¶
"state" - If a "state" parameter was present in the request, it MUST be echoed back unchanged as "state=" on the redirect URI.¶
"redirect_uri" was not provided, or if "syncRedirectDomain" is not set in the template, the DNS Provider MUST gracefully terminate the user flow by other means (for example, displaying a completion page). When the user agent is a web browser and the DNS Provider's page was opened in a separate window or tab, the DNS Provider SHOULD attempt to close that window or tab.¶
To prevent open redirects, the DNS Provider MUST NOT redirect the user agent to a "redirect_uri" value whose registered domain is not listed in the template's "syncRedirectDomain" field, unless the request carries a valid digital signature (see Section 8.3.2.1).¶
The Service Provider SHOULD verify the outcome via DNS regardless of how the flow terminates (see Section 8.4).¶
If the DNS Provider cannot complete the apply operation - for example because authentication failed, the user does not control the domain, the domain is suspended, or the user explicitly canceled - the DNS Provider MUST signal an error.¶
If "redirect_uri" is present and the open-redirect constraint is satisfied, the DNS Provider MUST redirect the user agent to the "redirect_uri" with the following parameters appended:¶
"error" - REQUIRED on error. The value MUST be one of the error codes defined in Section 4.1.2.1 of [RFC6749]: "invalid_request", "unauthorized_client", "access_denied", "unsupported_response_type", "invalid_scope", "server_error", or "temporarily_unavailable".¶
"error_description" - OPTIONAL. A developer-oriented plain-text description of the error. The DNS Provider SHOULD keep descriptions vague where disclosure of internal account or domain state would be inappropriate.
¶
As a RECOMMENDED convention, when the user explicitly cancels the operation and the DNS Provider uses "error=access_denied", the "error_description" value MAY carry the prefix "user_cancel" to allow the Service Provider to distinguish user cancellation from other denial reasons.¶
"state" - If a "state" parameter was present in the request, it MUST be echoed back unchanged as "state=" on the redirect URI.¶
If "redirect_uri" is not present or the open-redirect constraint is not satisfied, the DNS Provider MUST gracefully terminate the user flow and SHOULD present an appropriate error indication to the user. When the user agent is a web browser and the DNS Provider's page was opened in a separate window or tab, the DNS Provider SHOULD attempt to close that window or tab.¶
After the synchronous flow completes, the Service Provider SHOULD verify that the expected DNS records are present in the zone by querying the authoritative DNS server for the domain.¶
DNS verification MUST be treated as the authoritative signal of success. A "redirect_uri" callback received without an "error" parameter does not constitute proof that the template was applied. Users can modify redirect URIs in the user agent, so a successful-looking redirect MUST NOT be relied upon as confirmation of DNS changes. Similarly, a "redirect_uri" callback received with an "error" parameter does not constitute proof that the template was NOT applied; the DNS Provider MAY have applied the template before the error condition arose.¶
Receipt of a protocol-level completion signal MAY be used as a trigger to initiate DNS verification. However, the Service Provider MUST account for DNS propagation delay and MUST implement a retry mechanism with appropriate intervals until the expected records are observed or a timeout is reached.¶
To minimize delays caused by DNS resolver caching, it is RECOMMENDED that the Service Provider query a DNS resolver configured with low TTL overrides, or query the authoritative name servers directly.¶
Variable expressions are the parameterized parts of a Domain Connect Template. Each expression contains one variable specifier (which can be either a named variable or a special variable "@") that is replaced with a value during template application.¶
There are three Built-In variables:¶
"%host%"`: This is the host passed from the query string¶
"%domain%"`: This is the domain passed from the query string¶
"%fqdn%": This is the fully qualified domain name or template application e.g. [host.]domain¶
For example, with the query string "domain=example.com&host=", "%fqdn%" in a template would be "example.com", and with "domain=example.com&host=sub1", "%fqdn%" in a template would be "sub1.example.com".¶
The "@" variable has special meaning, and can be used in the "host"/"name" field or in the "pointsTo" field in isolation. For the "host"/"name" and "pointsTo" fields it is a shortcut for the value "%fqdn%.". The trailing dot here is equal to the DNS master file notation [RFC1035], which indicates the value is absolute. For some record types, like "A" or "AAAA" usage of "@" in pointsTo would not render a valid IP address, therefore MUST NOT be used. Likewise in "NS" record types it would render a circular delegation therefore MUST NOT be used.¶
"%domain%", "%host%", and "%fqdn%" derived from the "domain" and "host" apply parameters (see Section 9.1.2).¶
When a template is applied, the variables in the template are replaced with the values passed as input.¶
Variables are identified by their name ('"variable-name"' part of the syntax or "@") and the whole variable expression is replaced with a value of either Built-In Variable or Name/Value pairs provided to the Apply operation.¶
Only active records (as determined by group filtering, see Section 10.3) MUST be processed. Template fields of inactive records MUST NOT be processed.¶
Variables are only allowed in template fields of type string, therefore the input field values from the template MUST be decoded from JSON string encoding before variable substitution.¶
Variables are replaced in the template fields in the order they are found. If a variable is not found in the input, the processing MUST fail. After a variable is replaced, only the remaining string is used for further variable substitution.¶
The result of the processing MAY still contain strings containing variable expressions coming from Input Values of variable substitution. The processing MUST NOT fail in this case, and the variable expressions MUST be left as is without any further processing.¶
The DNS Provider MUST ignore any request parameter not referenced in the template.¶
After variable substitution, each template record's "host" or "name" field value is combined with the "domain" and "host" apply parameters to produce the final DNS owner name for the resource record.¶
If the rendered template field value is "@" or empty, it resolves to the root of the applied scope - equivalent to the fully qualified "[host.]domain.".¶
If the rendered template field value ends with a "." (trailing dot), it is treated as an absolute DNS name and used as-is, without further qualification.¶
Otherwise, the rendered value is treated as relative and prepended as a label to the fully qualified "[host.]domain" formed by the apply parameters.¶
EXAMPLE: Template records example¶
[{
"type": "CNAME",
"host": "www",
"pointsTo": "@",
"ttl": 1800
},
{
"type": "A",
"host": "@",
"pointsTo": "192.0.2.1",
"ttl": 1800
}]¶
DNS zone after the template applied with "domain=example.com" and "host" parameter missing or empty:¶
www 1800 IN CNAME example.com. @ 1800 IN A 192.0.2.1¶
alternatively¶
www.example.com. 1800 IN CNAME example.com. example.com. 1800 IN A 192.0.2.1¶
DNS zone after the template applied with "domain=example.com" and "host=bar":¶
www.bar 1800 IN CNAME bar.example.com. bar 1800 IN A 192.0.2.1¶
alternatively¶
www.bar.example.com. 1800 IN CNAME bar.example.com. bar.example.com. 1800 IN A 192.0.2.1¶
The challenge with SPF RFC 7208 [RFC7208] records and Domain Connect is that an individual service might recommend an SPF record. If only one service were active, this would be accurate. But with several services together only the DNS Provider is able to determine the valid shape of a SPF TXT record.¶
One solution to this problem is to merge all related records. At the highest level, this means taking everything between the "v=spf1" and the "all" from each of the records and merging them together, terminating with hard-coded modifier on "all" at the end. For an SPF record to fulfill it's purpose of protection against malicious email delivery, it is RECOMMENDED to use a fixed modifier "~" advising lower rating of the messages from other sources not specified in SPF, however DNS Provider MAY set this modifier at their own discretion and according to the current best practice.¶
@ TXT v=spf1 include:spf.mailer1.example include:_spf.newsletter.exam ple ~all¶
The other would be to write intermediate records, and reference these locally.¶
r1.example.com. TXT v=spf1 include:spf.mailer1.example ~all r2.example.com. TXT v=spf1 include:_spf.newsletter.example ~all @ TXT v=spf1 include:r1.example.com include:r2.example.com ~all¶
There are advantages and disadvantages to both approaches. SPF records have a limit of 10 DNS lookups and record length is limited to 255 characters. So depending on the embedded records both approaches might have advantages.¶
The implementation would be left to the DNS Provider, but to facilitate this SPF records SHOULD NOT be included in templates. Instead, a new pseudo-record type is introduced in the template called "SPFM". This has the following attribute:¶
"spfRules":Determines the desired rules, basically everything but leading "v=spf1" and trailing "all" rule - see: SPF Rules (Section 6.2)¶
When a template is added or removed with an "SPFM" record in the template, some code would need to take the aggregate value of all "SPFM" records in all templates applied as well as existing SPF TXT record on the host and recalculate the resulting SPF TXT record. In case several sources specify the same rule with a different policy DNS Provider SHOULD apply the least restrictive one as a result. "soft failure" SHOULD be preferred over "hard failure", "neutral" SHOULD be preferred over "soft failure".¶
DNS Provider SHOULD also allow the end user to modify the SPF record after merging.¶
Due to merging step in between, the resulting SPF TXT records are considered non-essential. That means the user may decide to override the final calculated value or remove the whole SPF record. This action MUST NOT lead to removal of any related templates in conflict detection and template integrity routines if implemented by the DNS Provider.¶
If the existing TXT record makes the merging operation not possible, the DNS Provider MUST handle this situation the same way as a conflict and either let the end-user resolve it in the UX.¶
Service Providers MUST NOT check content of TXT SPF record for an exact match, as it might be strongly influenced by the DNS Provider merging strategy and user actions.¶
See Appendix A.6.¶
DNS Providers MAY choose to maintain state inside records in DNS indicating the templates writing the records.¶
A DNS Provider that maintains this state may be able to provide an improved experience for users, telling them the services enabled. They also may be able to have more advanced handling of conflicts and assure integrity of applied template instances.¶
A template instance is identified by the pair "domain" and "host" where the template has been applied. Therefore, the same template MUST be able to be applied more than once to the same DNS zone identified by "domain", as long as the value of "host" parameter differs. Application of the same template with same "host" MAY be handled as an update by DNS provider, or just trigger a regular conflict detection and resolution routine by DNS Provider - removal of the previous instance and apply of the new instance.¶
Manual changes made by the user at the DNS Provider MAY also trigger conflict detection against applied templates in order to maintain integrity.¶
The following steps give an overview of the template application process. Each step is described in detail in the sections below.¶
"syncBlock" field is not "true". If it is, the DNS Provider MUST NOT process the request and MUST return an error.¶
"domain" is present in the user's account and that the user is authorized to make changes to it.¶
"groupId" property of the template and "groupId" apply parameter (see Section 10.3).¶
Resolve variables - All variable expressions in active template records are substituted with the values provided by the caller, producing a concrete set of DNS resource records (RRs) to be applied (see Section 9.2).¶
Perform conflict detection - The DNS Provider checks the resolved RR set against the existing zone content according to the conflict detection rules (see Section 10.4).¶
"host" for removal unless "multiInstance" is set for the template (see Section 10.4.1.1).¶
Obtain user authorization - The DNS Provider MUST present the intended changes and the pre-calculated conflict consequences to the user and obtain explicit authorization before proceeding (see Section 10.6).¶
Apply changes - After authorization is granted, or at later point in Asynchronous flow:¶
"domain" and "host" pair and remove the state of any template instances that were resolved for removal.¶
Before variable substitution and any further processing, the DNS Provider MUST determine the active record set - the subset of template records that are subject to processing - by applying the following rules to each record in the template:¶
"groupId" field is always active, regardless of whether a "groupId" parameter was supplied in the apply request.¶
"groupId" field is active if and only if its "groupId" value appears in the list supplied as the "groupId" apply parameter. Matching is case-sensitive and exact.¶
"groupId" parameter is supplied in the apply request, all records are active irrespective of whether they carry a "groupId".¶
Only active records MUST be subject to variable substitution, conflict detection, and zone write operations. Inactive records MUST be excluded from all template processing steps and MUST NOT be written to the zone.¶
If the "groupId" parameter is supplied but no record in the template carries a "groupId" that matches any of the specified identifiers (i.e., the active record set consists solely of ungrouped records or is empty), the DNS Provider MUST return an error and MUST NOT make any changes to the zone.¶
When a "groupId" parameter is supplied, the apply operation is additive: only the records belonging to the specified groups are written, while records of other groups that were written by a prior application of the same template instance MUST NOT be disturbed.¶
Consequently, for DNS Providers that maintain applied template state, an existing instance of the same template on the same "domain" and "host" MUST NOT be removed before the new records are written, regardless of conflict-detection outcome for the active record set, however such provider MUST remove the records previously written for the same group(s) before writing the new active record set, in order to avoid accumulation of stale records from superseded group applications.¶
Conflict detection is performed by the DNS Provider prior to template application. The rules below ensure predictable conflict resolution between DNS Providers. Each rule applies to records on the same host, unless otherwise specified.¶
"foo" conflicts with any record at "foo", "www.foo", "bar.foo", etc. Conversely, any other record type conflicts with NS records in the same manner.¶
TXT record conflict detection is governed by the "txtConflictMatchingMode" property of the template record:¶
Note: DNS Provider MUST also check applicability of all generated records to the target DNS zone in its own system. For example it is very common for DNS provider not to allow CNAME records to be at the zone apex.¶
This processing only REQUIRED for DNS Providers that maintain applied template state.¶
By default a template is expected to be applied only once to a target "domain" and "host", therefore any consecutive attempt to apply the same template would be treated as an update. For some templates however it is desirable to be able to create multiple instances (for example add second TXT record on the same host as opposed to replacing the current value).¶
A template flag multiInstance (Section 6.1) can be set in order to allow for that. This tells the DNS Provider that the template is expected to be written multiple times and that a re-apply MUST NOT remove previous instances with the same "host". Regular conflict detection rules MUST still be processed between instances, therefore such a template MUST be designed so that it does not conflict with itself.¶
This processing only REQUIRED for DNS Providers that maintain applied template state.¶
A template record is considered essential when it MUST be present and remain consistent with the applied template for the entire lifetime of the service. The essential property of a template record controls this behavior and MUST be set to "Always" (the default) for such records.¶
A DNS Provider that maintains applied template state MUST treat an attempt of removal or modification of such an essential record as a conflict indicator, and MUST require the full template to be removed or abort.¶
Records with "essential=OnApply" MUST be applied when the template is first applied, but MAY be subsequently removed or altered - by the user or through the application of another template - without triggering conflict or removal of the owning template.¶
A DNS Provider not maintaining applied template state, applying a template whose records conflict with any existing record in the zone MUST remove all those conflicting records.¶
When a DNS Provider maintains applied template state, applying a template whose records conflict with records written by a previously applied template MUST cause the conflicting prior template to be removed in its entirety, unless a conflicting record is explicitly marked as non essential and eligible for removal. As an example: if template T1 wrote records A and B, and template T2 is applied with records B and C, record B conflicts, and T1 is removed together with all its records before T2 is applied.¶
In the Synchronous Flow, after authorization is granted, the DNS Provider applies the template to the DNS zone.¶
In the Asynchronous Flow this happens in later point in time. In this case conflict resolution MUST be calculated again for the actual state of the zone and parameters provided with the apply request.¶
The DNS Provider MUST remove all conflicting templates and records from the target zone.¶
The DNS Provider MUST apply all records of the template in totality as one atomic operation.¶
Examples of template processing are in Appendix A.¶
Templates that accept variable parameters introduce a phishing risk. The more static the values in a template record, the more secure the template. When variable values cannot be avoided, a bad actor could craft an apply URL substituting a malicious value - for example, a hijacked IP address - and send it to users as a seemingly legitimate reconfiguration request. The user would be presented with a DNS Provider consent screen that appears valid, but would result in DNS being pointed at infrastructure under the attacker's control.¶
Not all templates are susceptible; the risk is proportional to how much of a record's content is controlled by variables. Three mitigations are available to template authors and Service Providers: digitally signing apply requests (see the Section <<Section 8.3.2.1,format=title>>), using an alternative flow not prone to this risk and disabling the synchronous flow via "syncBlock", and setting the "warnPhishing" flag to prompt the DNS Provider to display additional warnings to the user.¶
"_domainconnect" DNS Node Name
Per [RFC8552], please add the following entry to the "Underscored and Globally Scoped DNS Node Names" registry:¶
| RR Type | _NODE NAME | Reference |
|---|---|---|
| TXT | _domainconnect | This document. |
IANA is requested to create a new registry named "Domain Connect Settings Properties" under a new registry group "Domain Connect Protocol".¶
Each entry in the registry MUST include:¶
Status: the lifecycle state of the registration. The following values are defined; IANA MAY define additional values as needed:¶
"Active": the property is currently in use and its definition is normative.¶
"Deprecated": the property SHOULD NOT be used in new implementations; it MAY appear in existing deployments for backwards compatibility.¶
"Reserved": the property appears in earlier versions of the Domain Connect specification (see [DC-SPEC]) and is reserved for back-compatibility. It MUST NOT be redefined in a manner incompatible with [DC-SPEC]. See Section 3, Paragraph 13.¶
"IETF Standard" for properties defined in a standards-track RFC, "Informational" for properties defined in an Informational RFC, or "Other" for any other specification.¶
The following properties from this specification constitute the initial contents of the registry:¶
| Property Name | Status | Kind | Reference |
|---|---|---|---|
"providerId"
|
Active | IETF Standard | This document |
"providerName"
|
Active | IETF Standard | This document |
"providerDisplayName"
|
Active | IETF Standard | This document |
"urlSyncUX"
|
Active | IETF Standard | This document |
"urlAsyncUX"
|
Reserved | IETF Standard | This document |
"urlAPI"
|
Active | IETF Standard | This document |
"width"
|
Active | IETF Standard | This document |
"height"
|
Active | IETF Standard | This document |
"urlControlPanel"
|
Active | IETF Standard | This document |
"nameServers"
|
Active | IETF Standard | This document |
This section is to be removed before publishing as an RFC.¶
492 templates from over 250 providers, incl. O365, Google Workspace, Apple Cloud+, Weebly, Squarespace.¶
The authors wish to thank the following persons for their feedback and suggestions as well as for the previous work on the standard:¶
This section is to be removed before publishing as an RFC.¶
EXAMPLE: Full template example¶
{
"providerId": "example.com",
"providerName": "Example Web Hosting",
"serviceId": "hosting",
"serviceName": "Wordpress by example.com",
"version": 1,
"logoUrl": "https://www.example.com/images/billthecat.jpg",
"description": "This connects your domain to our web hosting",
"records": [
{
"type": "A",
"groupId": "service",
"host": "www",
"pointsTo": "%var1%",
"ttl": 600
},
{
"type": "A",
"groupId": "service",
"host": "m",
"pointsTo": "%var2%",
"ttl": 600
},
{
"type": "CNAME",
"groupId": "service",
"host": "webmail",
"pointsTo": "%var3%",
"ttl": 600
},
{
"type": "TXT",
"groupId": "verification",
"host": "example",
"ttl": 600,
"data": "%var4%"
}
]
}¶
Consider a template for setting a single host record. The records section of the template would have a single record of type "A" and could have a value of:¶
EXAMPLE: Single static host record example¶
[{
"type": "A",
"host": "www",
"pointsTo": "192.0.2.1",
"ttl": 600
}]¶
This would have no variable substitution and the application of this template to a domain would simply set the host name "www" to the IP address "192.0.2.1"¶
In the case of a template for setting a single host record from a variable, the template would have a single record of type "A" and could have a value of:¶
EXAMPLE: Single variable host record for A example¶
[{
"type": "A",
"host": "@",
"pointsTo": "198.51.100.%srv%",
"ttl": 600
}]¶
A query string with a key/value pair of¶
srv=2¶
would cause the application of this template to a domain to set the host name for the apex A record to the IP address "198.51.100.2" with a TTL of 600¶
This example shows how to include a set of unspecified record types on an example of CAA records:¶
EXAMPLE: Unspecified record type CAA example¶
[
{
"type": "CAA",
"host": "@",
"data": "0 issue \"ca1.example.net\"",
"ttl": 1800
},
{
"type": "CAA",
"host": "@",
"data": "0 issuewild \"ca2.example.\"",
"ttl": 1800
}
]¶
This would have no variable substitution and the application of this template to a domain would add 2 CAA records.¶
Consider a DNS Zone before a template application:¶
$ORIGIN example.com. @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800 1209600 3600 @ 3600 IN NS ns11.example.net. @ 3600 IN NS ns12.example.net. @ 3600 IN A 192.0.2.1 @ 3600 IN A 192.0.2.2 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0000 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0001 @ 3600 IN MX 10 mx1.example.net. @ 3600 IN MX 10 mx2.example.net. @ 3600 IN TXT "v=spf1 a include:spf.example.org ~all" www 3600 IN CNAME other.host.example.¶
Now application of the following template:¶
[
{
"type":"A",
"host":"@",
"pointsTo":"203.0.113.2",
"ttl":"1800"
},
{
"type":"A",
"host":"www",
"pointsTo":"203.0.113.2",
"ttl":"1800"
},
{
"type":"SPFM",
"host":"@",
"spfRules":"a include:spf.hoster.example"
}
]¶
The following DNS Zone would be generated after the template is applied.¶
A following list of conflicts would be detected in this case:¶
@ 3600 IN A 192.0.2.1 @ 3600 IN A 192.0.2.2 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0000 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0001¶
After changes applied the zone would be updated to the following state. Note existing A and AAAA records removed due to the conflicts as well as SPF TXT record content merged with the existing entry.¶
$ORIGIN example.com. @ 3600 IN SOA ns11.example.net. support.example.net. 2017050920 7200 1800 1209600 3600 @ 3600 IN NS ns11.example.net. @ 3600 IN NS ns12.example.net. @ 1800 IN A 203.0.113.2 @ 3600 IN MX 10 mx1.example.net. @ 3600 IN MX 10 mx2.example.net. @ 1800 IN TXT "v=spf1 a include:spf.example.org include:spf.hoster.ex ample ~all" www 1800 IN A 203.0.113.2¶
Consider a DNS Zone before a template application:¶
$ORIGIN example.com. @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800 1209600 3600 @ 3600 IN NS ns11.example.net. @ 3600 IN NS ns12.example.net.¶
Now application of the following template of Mail service:¶
[
{
"type":"MX",
"host":"@",
"priority": "10",
"pointsTo":"mx1.example.net",
"ttl":"1800"
},
{
"type":"MX",
"host":"www",
"priority": "10",
"pointsTo":"mx2.example.net",
"ttl":"1800"
},
{
"type":"SPFM",
"host":"@",
"spfRules":"a include:spf.example.net"
}
]¶
Expected result in the DNS Zone¶
$ORIGIN example.com. @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800 1209600 3600 @ 3600 IN NS ns11.example.net. @ 3600 IN NS ns12.example.net. @ 3600 IN MX 10 mx1.example.net. @ 3600 IN MX 10 mx2.example.net. @ 3600 IN TXT "v=spf1 a include:spf.example.net ~all"¶
In the next step application of the following template of Newsletter service:¶
[
{
"type":"SPFM",
"host":"@",
"spfRules":"include:_spf.newsletter.example"
}
]¶
Expected result in the DNS Zone. Note merged SPF entry.¶
$ORIGIN example.com. @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800 1209600 3600 @ 3600 IN NS ns11.example.net. @ 3600 IN NS ns12.example.net. @ 3600 IN MX 10 mx1.example.net. @ 3600 IN MX 10 mx2.example.net. @ 3600 IN TXT "v=spf1 a include:spf.example.net include:_spf.newslett er. example ~all"¶