Re: [Acme] Trust and security in DNS challenge validation automation
"Sebastian Nielsen" <sebastian@sebbe.eu> Tue, 16 January 2018 16:15 UTC
Return-Path: <sebastian@sebbe.eu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B96212DB72 for <acme@ietfa.amsl.com>; Tue, 16 Jan 2018 08:15:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sebbe.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8nUP2FLY2fg for <acme@ietfa.amsl.com>; Tue, 16 Jan 2018 08:15:01 -0800 (PST)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [IPv6:2001:470:dff1:1:10::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF8F212762F for <acme@ietf.org>; Tue, 16 Jan 2018 08:15:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sebbe.eu; s=root; h=Content-Type:MIME-Version:Subject:References:In-Reply-To: Message-ID:To:From:Date; bh=YVN+Kjy30ZiIgvDoK0bV05F32rq0T3i5XbyIUmy8fyg=; b=p PN7P401KuuQ9Sp1b/B6dJvcRxPhDfF7Hr1rP9cN338/hkpEMDlhtvx7I6iIhtRkLs88YT804UBqNs BqgVbNMFylD8gTSz+jbaAXQ6wm8jLi64HXEtCniU4NlOVgQwbWSmKV0K7ePN19Ho3MrCVvi6c+k2c W5cvVMI6Ldi1yAnU=;
Received: from localhost ([127.0.0.1] helo=linuxlite-desktop) by linuxlite-desktop with esmtp (Exim 4.86_2) (envelope-from <sebastian@sebbe.eu>) id 1ebTt0-0007Ls-Bi; Tue, 16 Jan 2018 17:14:54 +0100
Received: from [192.168.4.100] (helo=DESKTOPA8GMOTG) by linuxlite-desktop with esmtpa (Exim 4.86_2) (envelope-from <sebastian@sebbe.eu>) id 1ebTsz-0007Lo-Te; Tue, 16 Jan 2018 17:14:53 +0100
Date: Tue, 16 Jan 2018 17:14:52 +0100
From: Sebastian Nielsen <sebastian@sebbe.eu>
To: 'Joona Hoikkala' <joona.hoikkala@eff.org>, acme@ietf.org
Message-ID: <001501d38ee5$240cf400$6c26dc00$@sebbe.eu>
In-Reply-To: <1a6f7bfb-d6dc-bd1a-fcb5-ec78ec4497cf@eff.org>
References: <1a6f7bfb-d6dc-bd1a-fcb5-ec78ec4497cf@eff.org>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----=_Part_38_201706407.1516119294310"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQF4Hmo1vyBldJvOixf+giIU9eXDGaQti1pg
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7NMXn94rPPYvcFv91V8U4L8TGTA>
Subject: Re: [Acme] Trust and security in DNS challenge validation automation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 16:15:06 -0000
I don't see a reason to do a ready-baked solution for privilege management, as every enviroment is different. Let people handle security for themselves. If you want to have more security over your DNS, you could have it that you have a static private key on the web server/application server, and then the same key to create certificates from your DNS server. Then you have a script that publishes the certificate. You could ACTUALLY publish the certificate in the DNS zone as a TXT. Each TXT record may only contain up to 255 characters, but you could easily split it up to multiple records. And from your web server/application server, you download the certificate periodically. Note that certificates are already public per definition, so its no danger to make certificates public. Thus if your web server/application server gets compromised, your DNS zone isn't compromised. -----Ursprungligt meddelande----- Från: Acme [mailto:acme-bounces@ietf.org] För Joona Hoikkala Skickat: den 16 januari 2018 11:12 Till: acme@ietf.org Ämne: [Acme] Trust and security in DNS challenge validation automation While ACME tries to promote automation of the challenge validation, the landscape of said automation looks rather grim. DNS server software and service providers rarely provide means to limit the privileges of credentials used to update DNS zones. This leads to users being forced to use and save their credentials often equipped with inflated privileges to every machine that needs to acquire certificates using DNS challenges, effectively meaning that when one of such machines gets compromised so does the whole DNS zone, or multiple zones in some cases. The issue can be somewhat alleviated by using a separate validation zone that the user can point CNAME records towards to for the CA to follow. The problem however stays the same, if the credentials get compromised the malicious user is again able to issue certificates for all the domains pointing CNAMEs towards the validation zone in question. This information is also easily acquired by going through CT logs and trying to resolve the validation subdomains for each CN and SAN domain. The only cloud DNS service provider I know that actually allows creation of subdomains with separate credentials is Microsoft Azure. Some providers make it possible to create new credentials and to assign a subdelegate zone for these credentials, and pointing the CNAME there. These solutions are a bit better, but still largely outside of the reach of a typical user. To fix these issues I wrote a small piece of server software ( https://github.com/joohoi/acme-dns/ ) that can be used to fix the issues described above, but using it in large scale would raise new questions about trust in general and the role of the service provider in the whole chain. After all, this software isn't designed to be deployed by every user of DNS challenge. Would a reasonable solution be to deploy something similar to the ACME-DNS software closer to the CA? -- Joona Hoikkala
- [Acme] Trust and security in DNS challenge valida… Joona Hoikkala
- Re: [Acme] Trust and security in DNS challenge va… Jörn Heissler
- Re: [Acme] Trust and security in DNS challenge va… Ilari Liusvaara
- Re: [Acme] Trust and security in DNS challenge va… Joona Hoikkala
- Re: [Acme] Trust and security in DNS challenge va… Sebastian Nielsen
- Re: [Acme] Trust and security in DNS challenge va… Ilari Liusvaara
- [Acme] TXT records for storing certificates in th… Jim Reid
- Re: [Acme] TXT records for storing certificates i… Sebastian Nielsen