Re: [Acme] scope in dns-account-01 and dns-02 challenge
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 31 March 2024 15:44 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988C3C14F5F9 for <acme@ietfa.amsl.com>; Sun, 31 Mar 2024 08:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQjBQXTb-6bX for <acme@ietfa.amsl.com>; Sun, 31 Mar 2024 08:44:55 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47411C14F5E0 for <acme@ietf.org>; Sun, 31 Mar 2024 08:44:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 6D7F94703F for <acme@ietf.org>; Sun, 31 Mar 2024 18:44:51 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id EDOKDvG0Kv9S for <acme@ietf.org>; Sun, 31 Mar 2024 18:44:51 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 3FFAA7A for <acme@ietf.org>; Sun, 31 Mar 2024 18:44:50 +0300 (EEST)
Date: Sun, 31 Mar 2024 18:44:49 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: acme@ietf.org
Message-ID: <ZgmE8RuJdkVjRBMi@LK-Perkele-VII2.locald>
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com> <CAN3x4QkrPT69=HMqB0cRVb6kocCQ3W0C+L1fXT1zN9dCPtaMUg@mail.gmail.com> <CAOG=JUJ9HGAOPVed1i09gsoPc+8qqk4T3sJVD7n_ZLP28deErA@mail.gmail.com> <ZfwLN3MtNEvcFlaz@LK-Perkele-VII2.locald> <CAN3x4QmEF7QOTidu8ooqNSPwcUFYjP=X2aHgpYg7kb1_ZpcYFA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN3x4QmEF7QOTidu8ooqNSPwcUFYjP=X2aHgpYg7kb1_ZpcYFA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/D-Pp2llkrwF9TRCbLFo1hsiPvYs>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 15:44:59 -0000
On Thu, Mar 21, 2024 at 11:44:22AM -0700, Jacob Hoffman-Andrews wrote: > Ilari, you've posted some useful extrapolations on how domain scopes could > work. I'm proposing to get rid of domain scopes. :D To get us on the same > page, would you mind posting some of the specific use cases you're > envisioning where domain scopes would be used in an ACME environment? My > existing belief is that domain scopes are only useful when validation is > non-automated, but I could be wrong here. Well, in what I proposed, if ACME server (CA) does not support domain scope, it does not need to do anything. And ACME client that does not support domain scopes only has to ignore the parameter (not error on it). As for usecases, I am not really coming up with those, due to the folloiwng apparent conflict: - Domain scopes seem only useful for larger systems. - Larger systems likely want to apply access controls to different parts of the tree, which is not compatible with domain scopes. However, stuff like this is well within configurability for an automated client. Looking at configuration for stuff I maintain, there are the following pieces of configuration about DNS validation (the list is exhaustive for stuff outside DNS itself): - The root of DNS zone for validation. - Name of TSIG/SHA256 key to use for DNS updates. - TSIG/SHA256 key for DNS updates (in a separate file for security reasons). Having information about domain roots and using those seems feasible. And actually looking at RFC9444, it looks like it actually has the required controls for the client (as it should), so presumably rules (that were proposed earlier) like: 1) If subdomainAuthAllowed, then it is domain 2) Otherwise, if wildcard, then it is wildcard. 3) Otherwise, It is host. Would seem to work. Both clients and servers that don't want to support the subdomain stuff can just completely omit the code. -Ilari
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Seo Suchan
- [Acme] scope in dns-account-01 and dns-02 challen… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara