Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

Why OpenID discovery for email addresses must use DNS

I'm getting some pushback from my proposal to use DNS as the primary means of OpenID discovery for email addresses. I think this is largely because I've not done a good job of explaining my reasons for it. Aside from some idea of technical purity, what's the practical reason for using DNS for OpenID? Who would use it that way?

My previous employer provided, amongst other things, a hosted content management system product. The usual setup would be that our customer would either have an in-house IT department or they'd outsource their IT stuff to a third-party. These IT folks would generally be responsible for DNS and email in some capacity, even if that capacity was just clicking some buttons on someone else's control panel. When the customer bought a CMS-based website from us, we'd get their IT folks to point the A record for the domain at one of our CMS server clusters and configure a mapping of that domain to the appropriate site in the system.

In this scenario, the customer's pretty limited in what they can do to their website. In the interests of usability, the site is presented as a tree of pages which are edited via a WYSIWYG editor and munged into a complete page using a site-wide HTML template. There is no way that such a customer could set up Yadis discovery on their site; creating arbitrary files and arbitrarily fiddling with the contents of <head> are not things the software provides. Even if it did, it certainly doesn't provide an OpenID provider that recognises email addresses for the domain.

Lest you consider this an isolated case, consider some other examples of such an arrangement. The domain this blog is running on has its A record pointing at who host my blog. They don't allow me to override the Yadis document returned at the root of my site, but I do own and control my domain. Users of Six Apart's hosted blogging service TypePad can't add the necessary bits for Yadis discovery without switching to "advanced templates", at which point they lose some of the easy blog design features. Google provides a similar hosted CMS service as part of its "Google Apps for your Domain" package which can't support Yadis, though we could also come at this from the other direction and see that most folks using the Google Apps version of GMail for their domain have their website hosted somewhere else, because -- let's face it -- Google Sites is kinda limited.

It's been my experience, then, that it's far more often the case that DNS and email are controlled by the same team than are email and web. In the case of my previous employer, the IT folks can readily add new records to DNS without involving the CMS provider. In the case of Google Apps For Your Domain, being able to edit your DNS is already a prerequisite to deploy GMail, so if Google were to provide a hosted OpenID-for-email service as part of Apps they could just instruct administrators to add an additional DNS record to enable it.

While I don't disagree that publishing the discovery information over HTTP should be an option, DNS should not only be supported but should override whatever's published over HTTP. The compromise of using DNS TXT records as the transport for this discovery information rather than a more "correct" record type, we make it possible to deploy these records in domain management tools that exist today.

I hope the above will serve to show that my wish to use DNS for discovery is in fact for pragmatic reasons, not for reasons of theoretical purity. That it comes with a side-order of theoretical purity (for some definition of purity) is just a nice side-effect!


  • Moved to TypePad is now hosted on TypePad rather than LiveJournal. All of the old content remains over here in LiveJournal land, but those who are…

  • Moving the Goalposts

    In the few weeks since I published the first drafts of AtomActivity, ActivitySchema and friends several things have come about: FriendFeed is…

  • Activity Streams and Comment Aggregation

    One pain point that exists for activity streams right now is the dispersal of responses over various networks. When I post a blog entry like this…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.