I would like to propose an extension to the standard proposal of security.txt - possibility to publish security.txt using a DNS TXT record.

One of the biggest drawbacks I see with the proposal is that it is only really usable for networks and systems hosting web servers and having a web presence. Internet is complex, and it is not always the case the web server is present, especially when we consider infrastructure networks, hosted for customer service networks that are not easy to verify the final ownership of and similar cases. Sometimes the web server is not available as part of public service, but other services are - email services, custom services, etc. Having a DNS level security.txt entry would certainly help solve all these cases. Having this record would also allow for a way for automated systems to discover security contact information without looking for WWW servers.

In this regard, I would like to propose an optional (???) extension to the security.txt proposal - a DNS TXT record, using public PTR as basis for record resolution.

Example record format

v=security.txt; Contact: mailto:[email protected]; Contact: mailto:[email protected]; Encryption: https://example.com/pgp.key; Preferred Languages: en,es; Policy: https://example.com/example_policy.txt

Example resolution chain

1. PTR is published for a network resource
2. PTR resolves to 'host.ex.example.com`
3. Lookup TXT host.ex.example.com, use security.txt record if found
4. If no record found, lookup TXT example.com, use security.txt record if found

Edit 1

After some consideration, perhaps instead of allowing for full content of the security.txt in DNS, it could be just a reference on where to find the policy. This could have benefits in reducing load on DNS servers and not having to deal with the 255 char limit for TXT record parts.

v=security.txt; href=https://example.com/security.txt