[Acme] Re: Potential issues with dns-persist-01

Shiloh Heurich <shiloh@heurich.com> Fri, 17 April 2026 15:56 UTC

Return-Path: <shiloh@heurich.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C8F73DE5C148 for <acme@mail2.ietf.org>; Fri, 17 Apr 2026 08:56:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776441364; bh=lZ7lj1ed1bkXXLM4ggRMPa6eM3zGuQlWi1a2j34NnkM=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=DmHgkiIjS/sHXxKrN+HQg0Wo8zsnfLZ3DnzW5qFweKNYE7ZFTqI66DNQeuWZzg0MR fCcA93JpFlu9gRxDePyXjV8gX0b36eWBY4itXofxmk9AZclUTd347VaYa+fD85hbv8 nlg0Sl/mK9MQSBADlltuyNMY0hdkDSwCOQNLyalc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=heurich.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n958E8LFvQgd for <acme@mail2.ietf.org>; Fri, 17 Apr 2026 08:56:04 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 489C1DE5BF95 for <acme@ietf.org>; Fri, 17 Apr 2026 08:54:30 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-50d6ab4476eso8193791cf.2 for <acme@ietf.org>; Fri, 17 Apr 2026 08:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heurich.com; s=google; t=1776441269; x=1777046069; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lZ7lj1ed1bkXXLM4ggRMPa6eM3zGuQlWi1a2j34NnkM=; b=kf4Rz5NKt1YMpyfeu/eD1zJU2TLpSV9lprWC+E3LaTAiXv0AnYoRaRk7kpK+Rjx5X3 we+4mjgIPFtN3zgA7NbX4jk245+DtVxEjaaejqeDdu09bpuWDyIKvMkwHyPjcr1bkHNe xpUe0UtA+H7GYard8ZpeUBuvq6Q0ikdb5o97K4v0e8STjpAI5VFrb6/DqSjAB7YWh/qb A6w8nYJzxv/Fb+QUdrNEy5kLbJiQmwIwDt/CDk2Qj+pzf7hp0fNy9T3zIdPHpeVJFPb9 2Al+p+zQ8PttTj8NVDYY6FR8SkwWUzX5sM9uNAs/Xstp2Rj0wghpRCIrPOZl4WFimYFE ZTng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776441269; x=1777046069; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=lZ7lj1ed1bkXXLM4ggRMPa6eM3zGuQlWi1a2j34NnkM=; b=ROeOdri/c49G8K74sJMgcP8iBl9X5dhtbO1NXakUzio1VQCVr2GoDeGvTS89uLWsS+ j+UYzvPSJZefja1t5B8NAeufkB0Rze7lhg7uArRxbwkqgWSnvPJsmtIfX9+mK9boFJ45 eJopJiQf1qfsBnbj9oxQXy3nL5gCMNndMTJuFtv5KUk/yI5bG37XMnqeqRLa2XtuM4KB Ez6Q3yoljkvKK/bvYZv3Vwd/YJtVSlQgahx/m5AMlNNaHcvzJpn9/YXyvocOJwnrvnj9 g/Iwxh1dwkWFLjb/35J+tAx8yy+tLI+Zte5g4fG6FhhLwUo2x8+YwJgGQpIr4sKyXIJS XAMA==
X-Gm-Message-State: AOJu0Yzp20LPWv5arAtntpTiUWsHXUxqXUwcptY5QdvP0OoucnvfoT8N IrkRR1THB2DCX1JNiXTDnJ+VV9/RoNAoL9AmlzfSn57inuWSZY/jmiiCjpGSIBzisGE=
X-Gm-Gg: AeBDietCAIjIy2+FmH1mWapHo5LWOfOO6Zxy0Nin3vsyG81R6lnbMM+d0pe4J4zmwvu Ki+7p2qqUFwPL1CPMKfOKomxPYP077fbSbtaxhmBWLA27dxE2nKTZhaKBRQUCpSK4/iMbhLp7PC DXI3g+XnUzRegJuhSRnPjiT+9I2YGn9rOnJxzfhr5C85Hp7va4SO7hp2cxdmwFuq2OUcGt+hdS8 sObHdbArK73vNJi8tmi1iuwq8t4TRt4YNPZ3A9t+a0ZtgNWTqTASr11ENTEvNWNTlGMNlb5TGt2 ruRsh7kAi+Y3amIibFJvk5lrhq0nyCfNPWN3EXoS4PMVxwOhI6rRe1rfMS7eG4dOLocQFc5wNnh VOG56cu1X2K5SUnTocb39PorE9rvGv6tuuwI3Z6rL60r5UJTX2Q4fixjT0MmaGdZgLX9kfVM2pt zkON0aru3sV+9EcFxbbcVnjGVE7FM8rSzpodLOvCQBAYQsMrpvFn5j4g==
X-Received: by 2002:a05:622a:10e:b0:50b:29a6:8696 with SMTP id d75a77b69052e-50e3681d042mr47918051cf.7.1776441269532; Fri, 17 Apr 2026 08:54:29 -0700 (PDT)
Received: from smtpclient.apple ([216.245.86.140]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-50e3944a7a3sm14711251cf.22.2026.04.17.08.54.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Apr 2026 08:54:28 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\))
From: Shiloh Heurich <shiloh@heurich.com>
In-Reply-To: <c54ee011-b09e-4c8f-b225-4119239e48c4@gmail.com>
Date: Fri, 17 Apr 2026 11:54:18 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <803D0EF1-6639-4C63-B051-E24B72773DD0@heurich.com>
References: <CAFg2froJTxp+kT_VdSuNs9LVqFQhO-WJZBt=-qoVQO9c8M+=Xw@mail.gmail.com> <CAEmnErdOBBzj+5nuZBYo0zN64zMXDeX-3sdcFBQqJirmHky2gA@mail.gmail.com> <0548587B-B211-4BC9-8F4F-51F30EC555E0@heurich.com> <c54ee011-b09e-4c8f-b225-4119239e48c4@gmail.com>
To: zandoodle <maxoscarhearnden@gmail.com>
X-Mailer: Apple Mail (2.3864.500.181)
Message-ID-Hash: CWMKFUAIIZQFDYGUZBZRNUQ4TNBDC7E3
X-Message-ID-Hash: CWMKFUAIIZQFDYGUZBZRNUQ4TNBDC7E3
X-MailFrom: shiloh@heurich.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: acme@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Potential issues with dns-persist-01
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/4kplpbbJ9Hq0bHaV4XJKEQ6gtu4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

Thanks for the correction; pre-provisioning is vulnerable for the same reason as the standard challenge flow.

Your token proposal would catch the case where the rogue server returns a URI at a real CA i.e. the client POSTs, the real CA rejects the key mismatch, and the client detects the problem. But it adds an online step, which is one of the things pre-provisioning is designed to avoid.

An `accountkey=` parameter with a self-computed thumbprint addresses this without the online requirement. The client derives it from its own key material regardless of what the server told it. That should cover both flows.

> On Apr 17, 2026, at 10:35, zandoodle <maxoscarhearnden@gmail.com> wrote:
> 
> I'm sorry I didn't make it clear in my initial email that the attacks were on the accounturi provided when making a new account and so affected pre-provisioned records.
> 
> It should be possible to allow arbitrary account URIs so long as the client can verify them, one way I've proposed is to have the client make a POST request to the account URI and receive a token which can then be put in the TXT record alongside the account URI.
> 
> This (alongside server-side validation of the URI) will allow the CA to confirm that the client has verified their account against a CA controlled endpoint.
> 
> On 17/04/2026 12:39, Shiloh Heurich wrote:
>> Your analogy to the http-01 token substitution is correct. In the standard challenge flow, the dns-persist record contains no client-computed cryptographic material, so the same class of attack applies. RFC 8555 §10.2 describes this pattern formally and explains why Key Authorization was designed to prevent it. The draft should address this.
>> 
>> Pre-provisioning is a different story and the thread hasn't raised it. In that flow there's no challenge object. The client constructs the record from its own account URL (the §7.3 Location header) and the `issuer-domain-name` from directory metadata or the CP/CPS. No server-provided value to substitute. This is the primary deployment model for the enterprise and multi-tenant cases the draft targets.
>> 
>> The harder problem is that persistence and key binding work against each other. Key Authorization works for http-01 and dns-01 because those values are ephemeral: provision, validate, remove, rotate the key freely. A persistent record containing Thumbprint(accountKey) means every key rotation (§7.3.5) invalidates every dns-persist record across every domain on the account. For subscribers with hundreds or thousands of domains, that defeats the purpose of a persistent method. The draft chose accounturi because it's stable across rotations.
>> 
>> Persistence, cryptographic key binding, key rotation support: pick two. That's the core tension.
>> 
>> I see three options, roughly by disruption level:
>> 
>> (a) Strengthen client verification within the current design. Upgrade the §3.1 SHOULD to MUST when the client knows its own account URL. Add explicit security analysis of the missing dual-channel binding and the rationale. Qualify the "strong binding" language in §7.2.
>> 
>> (b) Add an optional accountkey= parameter carrying base64url(Thumbprint(accountKey)), always self-computed by the client. When present, the CA verifies the thumbprint matches the current key. Restores dual-channel binding when used, but clients accept that rotation means updating DNS records. The forward-compatibility rule (MUST ignore unknown parameters) means existing implementations won't enforce it, so this only helps against CAs that opt in.
>> 
>> (c) Sebastian's pubkey: scheme in accounturi. Max already noted the problem: a malicious server can tell the client its accounturi is pubkey:<attacker-thumbprint>. Always-self-compute as a mitigation requires the client to distinguish pubkey URIs it should compute from regular URIs it should provision as-is. That seems fragile.
>> 
>> I'd go with (a) for -02, possibly (b) as a follow-on. But the real question for the WG is whether the pre-provisioning distinction is sufficient, or whether the standard challenge flow needs cryptographic binding even at the cost of rotation compatibility.
>> 
>> Shiloh
>