IETF Logo Mail Archive

Re: [Acme] dns-01 challenge limitations

Simon Ser <contact@emersion.fr> Sun, 13 September 2020 08:44 UTC

Return-Path: <contact@emersion.fr>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 932E83A0AF1 for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 01:44:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emersion.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4pyfkSC-O51R for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 01:44:26 -0700 (PDT)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB8253A0AB1 for <acme@ietf.org>; Sun, 13 Sep 2020 01:44:25 -0700 (PDT)
Date: Sun, 13 Sep 2020 08:44:20 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail2; t=1599986663; bh=6x8Mn5Xq3/32WuQ9IzJ7bjNu/dutht1ej251JDA/0ls=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=jt1NPMwGF+Ek69xL0oFQzB20InWhlsuWy/2AKIOruOGo7/X+8FfhVfUmE13FLUyFA 7g7/19UXck5Yc27V+megU4OY3yPfvYmKC/oVPhY2q/sAOyMzu8gXwXUID+N18dIFdA rO2q/VyOqikwEQnzvKuQYMhnto61Sl8L2A05k8N531xCS0zmzWPr1CXimtm3DwLcwc CmThxbQnUvQd4d0obpejINgkepgb2yWgjjZ0/rwX1i2Y1kR8aJPYI0eGWpQM2CZNmq ecl4VSuqvPlIrOn7mdjCxI6HukN/uFU3Os+qMOnIKW3dz5tz5grhru25JDhO+pC1eC eoN3gDf/zD4dA==
To: Patrik Wallström <pawal@amplitut.de>
From: Simon Ser <contact@emersion.fr>
Cc: Felipe Gasper <felipe@felipegasper.com>, "Matthew.Holt@gmail.com" <Matthew.Holt@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Reply-To: Simon Ser <contact@emersion.fr>
Message-ID: <2O1ZuxQsFg1YdMys-Xh-qbt9PWCaVqDo-UjYEbR6wn4Lpu5MvjHfFPo1jhwOnrTC5Y4K39CdfPRP1BKifxDOjMEu58qUQSe2Io68BkGt4mk=@emersion.fr>
In-Reply-To: <b506a8dd-fbf4-0c32-9ff5-30334436ee3a@amplitut.de>
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <394568F0-00BD-4789-8CF4-C1A00A078B6E@felipegasper.com> <uTb0VcadGuNvEnDsg15ER29Kge26GImPfZ-JqS6iFkGXEn4DOFmq8V-hAb32lZNpv6r5rtfrZn6pihdDQkyts_I6BK4tni8CNMYC2RgSorU=@emersion.fr> <b506a8dd-fbf4-0c32-9ff5-30334436ee3a@amplitut.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7Bte-eQfMYk-TMJJKAe5gvl83q0>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 08:44:29 -0000

On Friday, September 11, 2020 3:41 PM, Patrik Wallström <pawal@amplitut.de> wrote:

> Simon Ser skrev den 2020-09-11 kl. 15:25:
>
> > Hi,
> > On Friday, September 11, 2020 3:17 PM, Felipe Gasper felipe@felipegasper.com wrote:
> >
> > > > On Sep 11, 2020, at 9:08 AM, Simon Ser contact@emersion.fr wrote:
> > > > For instance, it would be possible to require users to add a short public key
> > > > in a DNS TXT record, then ask the ACME client to sign challenges with that key.
> > > > Something like this would significantly ease the development of ACME clients.
> > >
> > > This would seem to introduce a new vector--key compromise--for being
> > > able to impersonate the domain, wouldn’t it?
> > > Such an authz method would be proving not access to the domain
> > > itself, but access to the key, and would be vulnerable to local
> > > misconfigurations. It seems thus not dissimilar to the erstwhile
> > > problem with tls-sni-01/02.
> >
> > Right now ACME clients need vendor-specific authorizations, like API
> > tokens. If the DNS registry operator's token is leaked, much worse
> > things can happen than just being able to issue wildcard certificates
> > (since the token provides write access to DNS records).
>
> The missing piece of this puzzle is a standardized API for registrars
> (or DNS operators), where changes can be made for a zone at a registrar.
> Much like registry changes coming from registrars to a registry using
> EPP. Many attempts has been made for this, but for some reason,
> registrars like their lock-in models.
>
> Perhaps some day there will be an attempt at both creating a really good
> open source zone editor that will be adopted by registrars and other DNS
> opreators, that also implements an API that is generally accepted. Then
> perhaps this API could become a standard for interacting at least with
> DNS operators for changing the content of a zone. (No, and I don't think
> RFC 2136 is good enough for this.)
>
> For now, this is for many ACME clients a manual step. If you run your
> authoritative DNS service locally in your network, perhaps you could
> look into any options for automatically update the zone content.

I agree a standardized API for DNS operators would be nice, but it's a
pretty massive task. I don't see this happening anytime soon, no matter
how hard I try.

For this reason, I think a different approach would be desirable.

v2.23.0 | Report a Bug | By Email