Hej, Jag har en fråga till alla DNS-gurus i världen. Det har ju dykt upp en del saker som man kan stoppa in i dns, som security.txt och robots.txt. Det senaste jag hör de var om llm.txt. Finns det och hur övertygar man en AI om att respektera respektive kringgå en sådan? Hur många txt finns det i världen. Liman och andra, som försvarat dns från onödig börda genom åren, hur ser ni på det? Många hälsningar, Anne-Marie ________________________ Anne-Marie Eklund Löwinder Amelsec AB Hägervägen 27, 122 39 Enskede +46 734315310 @amelsec.bsky.social
Hi Anne-Marie, What you’re referring to, such as security.txt, robots.txt, and the more recent mention of llm.txt are all files placed on websites, typically in the /.well-known/ directory. These are not DNS TXT records but rather HTTP-accessible files that provide metadata or instructions to clients like search engines, security researchers, or (potentially) AI agents. Emil Stahl Cyber Security Specialist E: emil.stahl@team.blue<mailto:emil.stahl@team.blue> T: +45 70 40 00 00 [team.blue]<https://team.blue/> [esg-banner.png]<https://team.blue/sustainability/> [linkedin-icon.png] <https://www.linkedin.com/company/teamblue/> [fb-icon.png] <https://www.facebook.com/teamdotblue> [insta-icon.png] <https://www.instagram.com/lifeatteamblue/> ________________________________ From: Anne-Marie via Ns.se <ns.se@lists.iis.se> Sent: Thursday, May 8, 2025 8:36:19 PM To: ns.se@lists.iis.se <ns.se@lists.iis.se> Subject: [Ns.se] DNS extended Hej, Jag har en fråga till alla DNS-gurus i världen. Det har ju dykt upp en del saker som man kan stoppa in i dns, som security.txt och robots.txt. Det senaste jag hör de var om llm.txt. Finns det och hur övertygar man en AI om att respektera respektive kringgå en sådan? Hur många txt finns det i världen. Liman och andra, som försvarat dns från onödig börda genom åren, hur ser ni på det? Många hälsningar, Anne-Marie ________________________ Anne-Marie Eklund Löwinder Amelsec AB Hägervägen 27, 122 39 Enskede +46 734315310 @amelsec.bsky.social
Yes and often the txt files is pointed out by DNS TXT RR's. Like the recent MTA-STS (https://datatracker.ietf.org/doc/html/rfc8461) On Thu, May 8, 2025 at 9:14 PM Emil Stahl via Ns.se <ns.se@lists.iis.se> wrote:
Hi Anne-Marie,
What you’re referring to, such as security.txt, robots.txt, and the more recent mention of llm.txt are all files placed on websites, typically in the /.well-known/ directory. These are not DNS TXT records but rather HTTP-accessible files that provide metadata or instructions to clients like search engines, security researchers, or (potentially) AI agents.
*Emil Stahl* Cyber Security Specialist E: emil.stahl@team.blue T: +45 70 40 00 00 [image: team.blue] <https://team.blue/> [image: esg-banner.png] <https://team.blue/sustainability/> [image: linkedin-icon.png] <https://www.linkedin.com/company/teamblue/> [image: fb-icon.png] <https://www.facebook.com/teamdotblue> [image: insta-icon.png] <https://www.instagram.com/lifeatteamblue/>
------------------------------ *From:* Anne-Marie via Ns.se <ns.se@lists.iis.se> *Sent:* Thursday, May 8, 2025 8:36:19 PM *To:* ns.se@lists.iis.se <ns.se@lists.iis.se> *Subject:* [Ns.se] DNS extended
Hej,
Jag har en fråga till alla DNS-gurus i världen. Det har ju dykt upp en del saker som man kan stoppa in i dns, som security.txt och robots.txt. Det senaste jag hör de var om llm.txt. Finns det och hur övertygar man en AI om att respektera respektive kringgå en sådan? Hur många txt finns det i världen. Liman och andra, som försvarat dns från onödig börda genom åren, hur ser ni på det?
Många hälsningar,
Anne-Marie
________________________ Anne-Marie Eklund Löwinder Amelsec AB Hägervägen 27, 122 39 Enskede +46 734315310 @amelsec.bsky.social
-- Ns.se mailing list -- ns.se@lists.iis.se To unsubscribe send an email to ns.se-leave@lists.iis.se
[Since others switched to English, I will too.] Hi Anne-Marie! I too was unaware of any conventions for doing this in the _DNS_, but I _am_ aware of the prolific abuse of TXT records for various and sundry kitchen-sink-like purposes, so your words didn't surprise me at all. If you _do_ find signs of this type of data being put into the DNS, please share them with me. For anyone who thinks that using TXT records to solve your custom problem is a quick and simple solution, think again. Or contact me, and I'll drag you out of that misconception ... And mind you: new record types are dirt cheap, and very easy to create and register. 😉 Cheers, /Liman #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: liman@netnod.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod AB, Stockholm ! http://www.netnod.se/ #---------------------------------------------------------------------- ns.se@lists.iis.se 2025-05-08 20:36 [+0200]:
Hej,
Jag har en fråga till alla DNS-gurus i världen. Det har ju dykt upp en del saker som man kan stoppa in i dns, som security.txt och robots.txt. Det senaste jag hör de var om llm.txt. Finns det och hur övertygar man en AI om att respektera respektive kringgå en sådan? Hur många txt finns det i världen. Liman och andra, som försvarat dns från onödig börda genom åren, hur ser ni på det?
Många hälsningar,
Anne-Marie
________________________ Anne-Marie Eklund Löwinder Amelsec AB Hägervägen 27, 122 39 Enskede +46 734315310 @amelsec.bsky.social
-- Ns.se mailing list -- ns.se@lists.iis.se To unsubscribe send an email to ns.se-leave@lists.iis.se
It is interesting to note that there is a dedicated RR type for the SPF function, SPF RR type, but that is deprecated. Instead TXT RR type should be used. It is kind of backwards. Fighting the use of TXT records for various function would be a life-time struggle. Mats --- Mats Dufberg DNS Specialist, IIS Mobile: +46 73 065 3899<tel:+46%2073%20065%203899> https://www.iis.se/en/<http://www.iis.se/en> 9 maj 2025 kl. 08:26 skrev Lars-Johan Liman via Ns.se <ns.se@lists.iis.se>: [Since others switched to English, I will too.] Hi Anne-Marie! I too was unaware of any conventions for doing this in the _DNS_, but I _am_ aware of the prolific abuse of TXT records for various and sundry kitchen-sink-like purposes, so your words didn't surprise me at all. If you _do_ find signs of this type of data being put into the DNS, please share them with me. For anyone who thinks that using TXT records to solve your custom problem is a quick and simple solution, think again. Or contact me, and I'll drag you out of that misconception ... And mind you: new record types are dirt cheap, and very easy to create and register. 😉 Cheers, /Liman #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: liman@netnod.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod AB, Stockholm ! http://www.netnod.se/ #---------------------------------------------------------------------- ns.se@lists.iis.se 2025-05-08 20:36 [+0200]: Hej, Jag har en fråga till alla DNS-gurus i världen. Det har ju dykt upp en del saker som man kan stoppa in i dns, som security.txt och robots.txt. Det senaste jag hör de var om llm.txt. Finns det och hur övertygar man en AI om att respektera respektive kringgå en sådan? Hur många txt finns det i världen. Liman och andra, som försvarat dns från onödig börda genom åren, hur ser ni på det? Många hälsningar, Anne-Marie ________________________ Anne-Marie Eklund Löwinder Amelsec AB Hägervägen 27, 122 39 Enskede +46 734315310 @amelsec.bsky.social -- Ns.se mailing list -- ns.se@lists.iis.se To unsubscribe send an email to ns.se-leave@lists.iis.se -- Ns.se mailing list -- ns.se@lists.iis.se To unsubscribe send an email to ns.se-leave@lists.iis.se
On 9 May 2025, at 8:39, Mats Dufberg via Ns.se wrote:
It is interesting to note that there is a dedicated RR type for the SPF function, SPF RR type, but that is deprecated. Instead TXT RR type should be used.
One of the largest mistakes made.
It is kind of backwards.
Indeed.
Fighting the use of TXT records for various function would be a life-time struggle.
Let me recommend RFC 5507 from IAB with me and Austein as authors: <https://datatracker.ietf.org/doc/html/rfc5507> 5507 Design Choices When Expanding the DNS. IAB, P. Faltstrom, Ed., R. Austein, Ed., P. Koch, Ed.. April 2009. (Format: TXT, HTML) (Status: INFORMATIONAL) (DOI: 10.17487/RFC5507) Patrik
Yes, that is a good document. You don't even need to read it to know that. You can deduce it from the list of authors ... 😉 Cheers, /Liman paf@frobbit.se 2025-05-09 09:17 [+0200]:
... ... Let me recommend RFC 5507 from IAB with me and Austein as authors:
5507 Design Choices When Expanding the DNS. IAB, P. Faltstrom, Ed., R. Austein, Ed., P. Koch, Ed.. April 2009. (Format: TXT, HTML) (Status: INFORMATIONAL) (DOI: 10.17487/RFC5507)
Patrik
Blush... Patrik P.S. That said, you should know how we had to fight because too many said "we can just use TXT, and btw, TXT is the only you can use due to <drum roll> java script and php". On 9 May 2025, at 15:01, Lars-Johan Liman wrote:
Yes, that is a good document. You don't even need to read it to know that. You can deduce it from the list of authors ... 😉
Cheers, /Liman
paf@frobbit.se 2025-05-09 09:17 [+0200]:
... ... Let me recommend RFC 5507 from IAB with me and Austein as authors:
5507 Design Choices When Expanding the DNS. IAB, P. Faltstrom, Ed., R. Austein, Ed., P. Koch, Ed.. April 2009. (Format: TXT, HTML) (Status: INFORMATIONAL) (DOI: 10.17487/RFC5507)
Patrik
Yes, indeed. It was a sad time in the history of the IETF. Fortunately the IETF seems to have sobered up from that specific ... lapse. It's much harder to get approval for protocol-specific use of TXT records these days. The IESG is more on its toes, and there is (again) a DNS Directorate. Cheers, /Liman mats.dufberg@internetstiftelsen.se 2025-05-09 06:39 [+0000]:
It is interesting to note that there is a dedicated RR type for the SPF function, SPF RR type, but that is deprecated. Instead TXT RR type should be used.
It is kind of backwards.
Fighting the use of TXT records for various function would be a life-time struggle.
Mats
--- Mats Dufberg DNS Specialist, IIS Mobile: +46 73 065 3899<tel:+46%2073%20065%203899> https://www.iis.se/en/<http://www.iis.se/en>
9 maj 2025 kl. 08:26 skrev Lars-Johan Liman via Ns.se <ns.se@lists.iis.se>:
[Since others switched to English, I will too.]
Hi Anne-Marie!
I too was unaware of any conventions for doing this in the _DNS_, but I _am_ aware of the prolific abuse of TXT records for various and sundry kitchen-sink-like purposes, so your words didn't surprise me at all.
If you _do_ find signs of this type of data being put into the DNS, please share them with me.
For anyone who thinks that using TXT records to solve your custom problem is a quick and simple solution, think again. Or contact me, and I'll drag you out of that misconception ... And mind you: new record types are dirt cheap, and very easy to create and register. 😉
Cheers, /Liman
#---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: liman@netnod.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod AB, Stockholm ! http://www.netnod.se/ #----------------------------------------------------------------------
ns.se@lists.iis.se 2025-05-08 20:36 [+0200]: Hej,
Jag har en fråga till alla DNS-gurus i världen. Det har ju dykt upp en del saker som man kan stoppa in i dns, som security.txt och robots.txt. Det senaste jag hör de var om llm.txt. Finns det och hur övertygar man en AI om att respektera respektive kringgå en sådan? Hur många txt finns det i världen. Liman och andra, som försvarat dns från onödig börda genom åren, hur ser ni på det?
Många hälsningar,
Anne-Marie
________________________ Anne-Marie Eklund Löwinder Amelsec AB Hägervägen 27, 122 39 Enskede +46 734315310 @amelsec.bsky.social
For anyone who thinks that using TXT records to solve your custom problem is a quick and simple solution, think again. Or contact me, and I'll drag you out of that misconception ... And mind you: new record types are dirt cheap, and very easy to create and register. 😉
Liman, Since you opened this can of worms… ;-) I have a history in SIP where usage of SRV records to let the clients handle failover and load balancing is a standard. We’ve used it for years. I can make sure that there’s a failover between servers, between datacenters and even between service providers if needed. Now I’m working on an HTTP based API (Transparency Exchange API). We’ve talked about it. I found PAF’s URI RR that seemed to give me a good solution. Found out it wasn’t implemented in most DNS admin panels. Then I happily found the HTTP records. Found out that it wasn’t even implemented in libcurl and the failover part was not going to be implemented. The same for other popular HTTP libraries used for building API clients. I got so much push back from the team that I finally gave up on this. The HTTP world solves the problem by pushing everyone to large CDN providers with anycast BGP. This week someone opened an issue in our tracker and suggest that we implement something using DNS TXT records… My forehead is read and sore from banging against the wall. The existing records will solve our problem with failover in the API but since the world of HTTP refuse to implement it, we’re stuck. So yes, new RRs can be created. But without implementation they won’t solve any problems. Sorry for the rant. /O
Not questioning the truth your your story ... but sorry to hear that. 😞 But in this case ... oej@edvina.net 2025-05-09 08:40 [+0200]:
... ... This week someone opened an issue in our tracker and suggest that we implement something using DNS TXT records…
... TXT records will not be implemented either. Not in the way you (he/she) seem to suggest them to be used. 🤷♂️ Cheers, /Liman
"Lars-Johan Liman via Ns.se" <ns.se@lists.iis.se> writes:
[Since others switched to English, I will too.]
[We did because Emil and I do not write well in Swedish and you guys tend to prefer English over Danish when we meet in person. I don't mind reading Swedish.]
For anyone who thinks that using TXT records to solve your custom problem is a quick and simple solution, think again. Or contact me, and I'll drag you out of that misconception ... And mind you: new record types are dirt cheap, and very easy to create and register. 😉
I've seen my fair share of TXT record abuse as well, but at least modern TXT record abuse is limited to more specific label names like '_dmarc', 'someselector._domainkey' and similar. I think one reason TXT records are often abused is that DNS control panels are often slow to adopt new record types, and then the easy way out is to just use a TXT record. Best regards, Jacob
[Ah. To paraphrase: "two countries separated by a common language history." 😉 I need to spend more time in Denmark to improve on my Danish. I'm ashamed that I struggle with spoken Danish. Written is usually OK. 😞] Hi Jacob! Yes, I agree: use label selctors (_foo) instead of record type selectors is an alternative approach that makes the abuse slightly easier to live with, but it's still ... less than elegant, IMHO. "That's not how the DNS was designed." And you are probably quite right about the UI panels. Cheers, /Liman ns.se@lists.iis.se 2025-05-09 09:31 [+0200]:
"Lars-Johan Liman via Ns.se" <ns.se@lists.iis.se> writes:
[Since others switched to English, I will too.]
[We did because Emil and I do not write well in Swedish and you guys tend to prefer English over Danish when we meet in person. I don't mind reading Swedish.]
For anyone who thinks that using TXT records to solve your custom problem is a quick and simple solution, think again. Or contact me, and I'll drag you out of that misconception ... And mind you: new record types are dirt cheap, and very easy to create and register. 😉
I've seen my fair share of TXT record abuse as well, but at least modern TXT record abuse is limited to more specific label names like '_dmarc', 'someselector._domainkey' and similar.
I think one reason TXT records are often abused is that DNS control panels are often slow to adopt new record types, and then the easy way out is to just use a TXT record.
Best regards, Jacob
Liman,
And mind you: new record types are dirt cheap, and very easy to create and register. 😉
Umm… no. Cheap: yes. Easy to create: well, that obviously depends. Very easy to register: no. Been there, done that, carry the scars. In *theory* you’re absolutely correct, but in practice… well you know the rest. Johan
Hi Johan! OK, I stand corrected. Thanks for putting the me straight. Then maybe the good idea we (the IETF) had at the time – to make it simple to register new RR types – has fallen into implementation problems. Maybe it should be looked into. Out of curiosity: the RR type(s) you wanted to register – did they warrant "special processing" in the DNS servers? I.e., did they require altereted/new code paths in the servers, or were they simple data-carrying records to just be picked up from a shelf and shipped to the client? I guess my question is: do you see a difference between the two categories of records in how difficult it is to get a requst processed? Cheers, /Liman johan.stenstam@internetstiftelsen.se 2025-05-14 08:08 [+0000]:
Liman,
And mind you: new record types are dirt cheap, and very easy to create and register. 😉
Umm… no. Cheap: yes. Easy to create: well, that obviously depends. Very easy to register: no.
Been there, done that, carry the scars. In *theory* you’re absolutely correct, but in practice… well you know the rest.
Johan
On 14 May 2025, at 10:08, Johan Stenstam via Ns.se wrote:
Very easy to register: no.
Been there, done that, carry the scars. In *theory* you’re absolutely correct, but in practice… well you know the rest.
What we have is a process that "only" require expert review. Standard action is not needed (compared to many other IANA parameters). See https://www.rfc-editor.org/rfc/rfc6895.html#page-14 Sure, that can be hard, but...YMMV. From my point of view the hard part is not to get the RR Type registered, but used. See URI which was my last one. Patrik
participants (9)
-
Anne-Marie -
Emil Stahl -
Jacob Bunk Nielsen -
Johan Stenstam -
Lars-Johan Liman -
Leif Gustafsson -
Mats Dufberg -
Olle E. Johansson -
Patrik Fältström