| Thanks for mentioning this protocol – I've been a fan of Domain Connect [1] for many years and referenced it in one of my earlier comments [2]. Our Record Creator tool [3] integrates with Domain Connect, so if you want to setup a Domain Verification record for a domain with a registrar that's onboarded with Domain Connect, it will simplify the TXT record creation. > Domain connect allows providers to request fine grained access to domain records, and for customers to allow/disallow those records, for a limited period of time. From memory, the async flow enables this but I've not seen permission control available to customers in the way you describe. Can you point me at a screenshot or blog post? As far as I've seen, these parts of the protocol have not been implemented particularly well anywhere. I'd say this is partly because the Async flow is far more complicated than the more basic flow, which most registrars and service providers adopted. > This not only addresses domain verification but also configuration of complex configurations like spf and max records. In my view, simplifying the setup of SPF, MX, A, CNAME records is where Domain Connect really shines. As far as domain verification goes, I would argue that the two solutions are attacking a similar problem (friction for users creating DNS records) but in quite different ways: Domain Connect simplifies the creation of the DNS TXT records that all service providers currently ask you to create. In contrast, the Domain Verification protocol: - Allows you to setup and manage multiple records
- Enables permission based access
- Enables time-limited access
- Most importantly, it reduces the amount of DNS records you have to create since the first one you setup can be used in onboarding with future service providers.
- It's far simpler to implement, once email verification is taken care the actual Domain Verification check is five lines of code. > It works, and works well, and is supported by all the major domain providers. You're right that registrar adoption is quite high, which is because it was a GoDaddy and 1&1 (now IONOS) initiative but when I last checked it wasn't implemented at Google, Facebook and many of the others larger providers for domain verification (to be clear: neither is my solution!!!) 1. https://github.com/Domain-Connect/spec/blob/master/Domain%20... (http://www.domainconnect.org currently failing with cert expiry) 2. https://news.ycombinator.com/item?id=35828772 3. https://domainverification.org/create-record |