[gray_-_wolf]

> The problem with opaque records like "029845yn0sidng0345randomnyosndgf03548yn" is that you have zero clue what it's authorizing,

I would have hoped the DNS management is automated and IaC-ed, so you just check the relevant commit message.

[icedchai]

Keep hoping. Most orgs are updating their DNS through some awful web interface that often doesn't even have the ability to add a comment.

[singron]

The service could also MitM you. They give you a code that validates their account against a second service.

[remram]

Interesting point. I guess it would be possible to mask them, e.g. they give you the string "gitlab-123token123" and you set the TXT to hash("gitlab-123token123").

[agwa]

In a perfect world there would be a special DNS record type for this. The DNS server would store the full token value, but would return the hash when someone queries it. I think this would provide both maximum security and maximum privacy.

[c4mpute]

You could use your DNSSEC signing key to sign a validation message (offline, because that doesn't work over DNS).

[agwa]

As discussed elsewhere in this thread, domain validation needs to be frequently rechecked. Therefore, it's far more convenient to publish a DNS record than to manually sign messages out-of-band.

[remram]

DNSSEC already provides attestation, why add another layer within the same system?

[c4mpute]

Because a DNSSEC attestation is usually public, except if you maybe use NSEC 3 and hide the RR behind some random name.

[bawolff]

In real life,lots of companies infrastructure is an undocumented non-version controlled mess