Re: [Acme] dns-01 challenge limitations

Simon Ser <> Fri, 11 September 2020 13:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DB3A93A048D for <>; Fri, 11 Sep 2020 06:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2XtC_N5wBRWB for <>; Fri, 11 Sep 2020 06:21:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C32263A044A for <>; Fri, 11 Sep 2020 06:21:24 -0700 (PDT)
Date: Fri, 11 Sep 2020 13:21:17 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=protonmail2; t=1599830482; bh=2dL8571Q/eaqPln4WGikRKdqYZUMqq/iu0SwME7eWXY=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=HiURGzqaSo7PiI54SXPgs2hCOBpgspUEn6scnt9pjIZQFOW2BDkS8sCkCH5ERX1+8 Bm7QJSEvP7IlwQStM7BAojUPSX7CSq4LVfggQ01S0+BU+WHFmReBkIHSksktY/Kp/3 awBYQVpFoznGMblLwesa+r18Kb2nnK6Xzvt9VqNoC+TJqQ3v+7S49HKKDMudiJzd/+ 5BeT1w23dZoneGxVAVPwjRBppIm4dIEEVWLuJtDXcAhhydAmbYBZT9uQN/WQGLdElq DSTnK8BZW11buFTDzABeSBpPBESLLKAkBxCLY5LowEUpSBBSBUIWzCsM2IqDxMIspc +oE7Ln+GdtvIg==
To: Philipp Junghannß <>
From: Simon Ser <>
Cc: "" <>, "" <>
Reply-To: Simon Ser <>
Message-ID: <>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Acme] dns-01 challenge limitations
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Sep 2020 13:21:27 -0000


On Friday, September 11, 2020 3:13 PM, Philipp Junghannß <> wrote:

> I have asked that question in the LE forum iirc the problem is that
> someone could place that record once and as long as someone doesnt
> look at it all the time one can easily miss the fact that someone can
> create wildcards and stuff for that domain, so the point is to prove
> that dns access is given at the time of issuance.

If someone has once write access to the DNS, they can set an
acme-challenge record, redirect all requests, and issue wildcard certs.
That would be easy to miss, too.

> you could maybe use a different DNS Server which has a better API,
> and potentially even can be used by ACME.

The issue at hand isn't that a particular DNS registry operator isn't
supported by a particular ACME client. What I want to fix is the need
for all ACME clients to support all DNS registry operators.