Re: [Acme] dns-01 challenge limitations

Jacob Hoffman-Andrews <> Tue, 15 September 2020 16:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 661D33A1397 for <>; Tue, 15 Sep 2020 09:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.793
X-Spam-Status: No, score=-3.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C_kAfpjLzSrq for <>; Tue, 15 Sep 2020 09:59:47 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 911E83A1396 for <>; Tue, 15 Sep 2020 09:59:47 -0700 (PDT)
Received: by with SMTP id o16so4933697qkj.10 for <>; Tue, 15 Sep 2020 09:59:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gJyA8+ksW1G0WGdkPOT/y5X67X7kFj+xcX0fCiL2kF4=; b=W2CcsiXs9uv5WrDt06QfIIDM0Kj+h9g6eeRPiPvi4WmB2Zuko640iXwmNos1/bNl7R 8O5bC2jhW5NLP/8/gPo12F4IRnQh+vu6LJD2xru9n5rljiiu+w6ujY5S3JAPw3ARtp3j kZl07PEmL8KLifi2jI677UvEg1aQHXu2AXboY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gJyA8+ksW1G0WGdkPOT/y5X67X7kFj+xcX0fCiL2kF4=; b=bIKADPTBaDar4Es0lLFm1vPiymr5/3yW/SJtG6W9dzOTy8Q+dwBWKJBtsoVE+LDS/4 k+5CoUnJrfVx0eE7PSreTegKNNno59Yv2jJZEpdt6UnYvsdI0G8po8xFXKpqsKyw8yIO JlGioe0qy7J9ohfrN6RObw6fKYnNZdmYy9r83sAkMg+cXq4gxxvqG56HrSBkF0hak10P eq6Ynk39J7pZcxDwIr4ktUqkXYt9SvesvZNb2TLyQ6w06Z/dwafbN0Lhk4c16E9Htffn 0+hTnO6oH7bzIgOi+21f4HJyrNDPy0lH978CbDMUL5HzSKMeqKDb6cBr9cUksICz/E8E deXA==
X-Gm-Message-State: AOAM531EihkvIpF3moFEid0cfPH/G1Q9mkSSEa+MHDuBIQ+iPfJWYD8h D0WHn3sWti+ttYl8ASkkrfcLFXUt4mGLmSLJvkBpvA==
X-Google-Smtp-Source: ABdhPJw7B5rJgBpaIkRCwdzFWL3dmhZZxNEz0FtxbjFCRcPgx+oOnA8RJDA3rr/MnzWloJLbe7qFqGNuXowGpxsNsZ4=
X-Received: by 2002:a05:620a:904:: with SMTP id v4mr16590937qkv.242.1600189186271; Tue, 15 Sep 2020 09:59:46 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Jacob Hoffman-Andrews <>
Date: Tue, 15 Sep 2020 09:59:20 -0700
Message-ID: <>
To: Simon Ser <>
Cc: "" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000057f2905af5d14ad"
Archived-At: <>
Subject: Re: [Acme] dns-01 challenge limitations
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Sep 2020 16:59:49 -0000

Here are a couple of other useful resources on addressing this problem on
the client side. Essentially, you can run your own nameserver dedicated to
answering challenges, and delegate to it with CNAMEs.

To the question of whether Let's Encrypt would implement a new DNS-related
challenge: We're potentially interested, but as Ryan Sleevi mentioned, it
would have to be specified in detail, either in an I-D or elsewhere. It
would then need to be accepted by root programs, possibly via the
CA/Browser Forum, since that's a convenient place to get agreement among
root programs.

That's a fair amount of work, and when I last proposed a similar change in
2018 it looked like there was significant opposition:

So, right now Let's Encrypt isn't prioritizing the work to advocate for
changes here, but hearing from subscribers that have trouble with the
current DNS challenges definitely helps inform our thinking.