Overview
I would like to propose an update to the standard deployment pattern for the DNS Security TXT (DSecTXT) project. Currently, using the parent/root domain is suggested having _security subdomain as an alternative; however, for better scalability and technical compliance, I recommend shifting the standard to the _security subdomain (e.g., _security.example.com).
Technical Rationale
1. Mitigation of DNS Record Size Limitations
DNS TXT records are subject to two critical constraints that often cause issues at the root domain:
- The 255-Character String Limit: Per RFC 1035, individual strings within a TXT record must not exceed 255 characters.
- UDP Packet Truncation: Responses exceeding 512 bytes often fail or require a fallback to TCP.
By moving to a dedicated _security subdomain, we reduce the "record bloat" on the parent domain (which already contains SPF, DKIM, and site verifications), ensuring security policies don't cause resolution failures for the primary domain.
2. Compatibility Across DNS Providers
DNS providers have varying limits on total record length (ranging from 2048 to 4096 characters). Standardizing on a subdomain allows:
- Isolation: Security records won't compete for space with other critical root-level records.
- Variable Limits: It provides a cleaner environment to implement record chaining if the security policy is exceptionally large.
3. Operational Security & Delegation
Using a _security prefix allows organizations to:
- Delegate Authority: The DNS zone for
_security.example.com can be delegated to security teams without giving them full access to the primary zone file.
- Standardized Discovery: This follows the successful pattern set by
_dmarc, _mta-sts, and _bimi, making it easier for automated scanners to locate security metadata.
Proposed Change
Update the project documentation to prioritize the following deployment structure:
- Primary Target:
_security.{domain}
- Formatting: Ensure records are segmented into 255-character strings for maximum compatibility.
- Fallback: Maintain the parent domain only as a legacy fallback (deprecated).
I believe this change will make DSecTXT more robust and easier for enterprise-level organizations to adopt.
Overview
I would like to propose an update to the standard deployment pattern for the DNS Security TXT (DSecTXT) project. Currently, using the parent/root domain is suggested having _security subdomain as an alternative; however, for better scalability and technical compliance, I recommend shifting the standard to the
_securitysubdomain (e.g.,_security.example.com).Technical Rationale
1. Mitigation of DNS Record Size Limitations
DNS TXT records are subject to two critical constraints that often cause issues at the root domain:
By moving to a dedicated
_securitysubdomain, we reduce the "record bloat" on the parent domain (which already contains SPF, DKIM, and site verifications), ensuring security policies don't cause resolution failures for the primary domain.2. Compatibility Across DNS Providers
DNS providers have varying limits on total record length (ranging from 2048 to 4096 characters). Standardizing on a subdomain allows:
3. Operational Security & Delegation
Using a
_securityprefix allows organizations to:_security.example.comcan be delegated to security teams without giving them full access to the primary zone file._dmarc,_mta-sts, and_bimi, making it easier for automated scanners to locate security metadata.Proposed Change
Update the project documentation to prioritize the following deployment structure:
_security.{domain}I believe this change will make DSecTXT more robust and easier for enterprise-level organizations to adopt.