nightwatchcyber
commented
3 years ago Thank you for submitting this. We had multiple DNS recommendations and plan to address once the initial draft is approved as RFC, so at least the contents of the file are standardized.
Addvilz
austinsonger
I would like to propose an extension to the standard proposal of security.txt - possibility to publish security.txt using a DNS TXT record.
One of the biggest drawbacks I see with the proposal is that it is only really usable for networks and systems hosting web servers and having a web presence. Internet is complex, and it is not always the case the web server is present, especially when we consider infrastructure networks, hosted for customer service networks that are not easy to verify the final ownership of and similar cases. Sometimes the web server is not available as part of public service, but other services are - email services, custom services, etc. Having a DNS level security.txt entry would certainly help solve all these cases. Having this record would also allow for a way for automated systems to discover security contact information without looking for WWW servers.
In this regard, I would like to propose an optional (???) extension to the security.txt proposal - a DNS TXT record, using public PTR as basis for record resolution.
Example record format
Example resolution chain
host.ex.example.com, usesecurity.txtrecord if foundexample.com, usesecurity.txtrecord if foundEdit 1
After some consideration, perhaps instead of allowing for full content of the security.txt in DNS, it could be just a reference on where to find the policy. This could have benefits in reducing load on DNS servers and not having to deal with the 255 char limit for TXT record parts.