IETF Logo Mail Archive

Re: [Acme] Indicating scope in DNS validation label

Seo Suchan <tjtncks@gmail.com> Wed, 04 October 2023 08:46 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CFD8C151997; Wed, 4 Oct 2023 01:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.593
X-Spam-Level:
X-Spam-Status: No, score=-1.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXkG0OadmFxm; Wed, 4 Oct 2023 01:46:25 -0700 (PDT)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D587C151990; Wed, 4 Oct 2023 01:46:25 -0700 (PDT)
Received: by mail-pg1-x536.google.com with SMTP id 41be03b00d2f7-577e62e2adfso1208211a12.2; Wed, 04 Oct 2023 01:46:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696409179; x=1697013979; darn=ietf.org; h=in-reply-to:autocrypt:from:references:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=w24a+mgfdFXSbSeNbNARgC7zXgnGxALOv/exQ+I+8Mk=; b=FwhacENw75fGzEx557a+Z7OIv3ubo39DzAm3weom55eNNl9cix//cLF8Fke9Guc61/ fjUw7Y4fJ3+02ZHH7wVmR0TIvZbPp5y1lRoOzHJxf8BbsLv9WXH5rHMpU+NcyNl9fv1y jGBikzfBIvv4KeUoCjFLuIwTzrBdmfXwwVD0hhZeNGZhUBvjFHVGMYlxKuDd4Od9B+lg y+cG86L/XHEkxF3FkY6W0aqsMJNbfplsOsbnmrTa25dMSFCkhuBxvoeQguKs+Iu/VJb4 V1MvPLATQ0FvueVJOonhJ1KGSeCMX8vsot557cFJpq001lVqHmnY0BG2fKxDlZB1ZvEF /QwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696409179; x=1697013979; h=in-reply-to:autocrypt:from:references:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=w24a+mgfdFXSbSeNbNARgC7zXgnGxALOv/exQ+I+8Mk=; b=sbbFV+U00WZZPVtCyKklXX8KlkJyZbA5cclkN1ic91ih94qvZaGQxuSJUSTnE4hRAf ZiDjLvJ1Y7PuMIek4a4F9/PBv6gjGRduGJhq0zpoWu9i0WkLevoporomS1bFsy68UIL3 yci3Sx7uAZ23Th9ATBPQnv+hZiJbKKNn/kNMDn45lMEyojlpSgQpYbp+6sfPgvktP2yv HnWS7+jvtJMPkAAkcALsU9bobPI2BFvyLhYtttpQBp3CWr1xqHLfWTix3ogIHoRI/+Nx 2uVjulBQ9WYXy4vYo+Kffb/t/wGqjnP84EQlpIAMsgZZ4QdbqwL0pc1+7oSvH4cdCu5L qVUg==
X-Gm-Message-State: AOJu0YxtN24py70knLIvypcNez4cpRwI+f7t7aKVKSlAqCKYJoXzSeQT 4w+H9l8+RnQlnC67Lp2a2W7Ob1OvrK2UjCVU
X-Google-Smtp-Source: AGHT+IGTlMER5rVIKe3j9nbEJQ5Py2U34mRE0HHZUgP5spBgm1Uv2i0kV8qBXoot2CVoo9THDi5tkA==
X-Received: by 2002:a17:90b:1d03:b0:26b:5205:525e with SMTP id on3-20020a17090b1d0300b0026b5205525emr1387363pjb.42.1696409179294; Wed, 04 Oct 2023 01:46:19 -0700 (PDT)
Received: from [10.101.156.124] ([108.160.139.177]) by smtp.gmail.com with ESMTPSA id q4-20020a170902788400b001c62e3e1286sm3080967pll.166.2023.10.04.01.46.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Oct 2023 01:46:19 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------cD74f0MwAraVq8q0z1UF0HUO"
Message-ID: <e6937847-201c-4762-b323-3f7446caeffb@gmail.com>
Date: Wed, 04 Oct 2023 17:46:17 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: da
To: Q Misell <q@as207960.net>, "acme@ietf.org" <acme@ietf.org>, draft-ietf-dnsop-domain-verification-techniques@ietf.org
References: <CAKC-DJib1cE5d=NcJVbv1bO+fXs=5KTrodrHoWkJ3h-ZD1wmpQ@mail.gmail.com> <b46133ac-73ba-45f9-ac22-1d5c4de8e6d8@gmail.com> <CAMEWqGtO3zfnB9TVK-2ozOyhj+ROgjC1QOruckRFaw3ktYTGQg@mail.gmail.com>
From: Seo Suchan <tjtncks@gmail.com>
Autocrypt: addr=tjtncks@gmail.com; keydata= xsDNBGN7GSUBDACv4kxByGqR6X+g16a+ZGb/I4ahDx2I8ZSDLro/bdnzeF4sxc50TeQAwk7F gFx9UYj0x5FXZTTkkhk1VysfS/ZRtr9LDJ8ZGrDX/kcyNRYdXbPYwnMd7A6eAS2NEcMpgh1z JEo8WA+rVgSoc7nNdHR8WpCgtuBZs3j08+3LzfSbuCFXNxf/mMU6+1fqBBqkUGb8z1b6Jcmi 9D3PLiVIOnyj5HcNEKKz18gKWr5HrM9MUpRHciTP0Z5/wR/KlEYbb7lI7lSiEM3F5wsPnfDV F52GX1x6d/j8swWech/N6h42mm2MNdU5K17Ob0j+u4X0ZVQjBSNpSYLkgOhIwZ1x2UaMrUbC ouPrCEVOD7bWCyBFYpsiiJ0B/Nauu2G8sJDLpyeH9QA431+XQ5wj2TwTreqC/KpMWc+ikTyt YKmGoLzY93rakDsPw7fXm3Cve2mZ0qBj2XRTClsM/6x0p3ghj4wynA+UJ2N4vJ0V4qILEyAF A+3XGEpN0BtNCWiqO8PwtMMAEQEAAc0eU2VvIFN1Y2hhbiA8dGp0bmNrc0BnbWFpbC5jb20+ wsEHBBMBCAAxFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSUCGwMECwkIBwUVCAkKCwUW AgMBAAAKCRDsujolzumKae2rC/9UPZIY36sVDh/fuNs6z7Y4SF8nvfNIkkAdeD891sju2rUd kri3OFUlMGJDLfGjth+ZZPb94CndO+vFql94VyEIiI8q6OGwlNM7L3cntV8vSCo9i8OVsNvM S8PjDlqRqcq/tm0kX9q4ELxQtsBqSgTREVHNb8PTMHn7mPlZIuFkx6H4zGtyQxMmz5TH4rH/ jrW6vtJn+yFwnt8rux0hpOU7UNyA0BmGiJOD44oHgb/knrexJ+KQY4mVf/Bgzuarfqnp3JSB R6HxMk3px+gH/oz35vVTJNqKJN2Lt4Vo/ku1YzyLAjE+wPp+8zJjTEAZyBhxTp9kVci41blw J+PR6GY/JjlVw0mC8Ab8G3uLj5NvOTnP2rbFHmO9ecWNEP/7xN8rQy0s7r8ojJrarj+tZwpk 2AP5QLwLHNKwHwsqPk6+96/c6ANYdflQl8uOvLPAXEayBmbEYo/KownLgp3B41iaIqYCRpVv Fxux/zSK32QCbnTsfHOu/NlRpq4VfXll6SnOwM0EY3sZJgEMAOOp2sC96VCGwDluPA1MTtWS ptbvr2s4MBBCfYIDQAqpW9Zhuaj+tH2Z8OYlgf6U5WouhlaxDrKIrVNn1uFjZFmoC89NmlnQ hEDxzXa8sRzudrxsPrZTagDIOKm/DQW6OUZi9TuduoQ+xHZMpc4H56bueWOzitzNPqogf0D0 z3qu1UUqR1+w+dnoSlV5y75cW6eX9bZeXR9Zqimv2Q/WjPAFphPMG+WD4+kpsPKodQGhArmx WDkM+tu/n/U88vrUnzjCfs+qt69a5lZSGodf/YzkGaeZpXmzX1OIBjVMEe4++6euhWSkS/c7 RZeHVUaebOj9vP713I6iHMiPOOTpvatlxK8gxIsY9gBerEymgtd9JjbWS7mLRt8Inn8A4mIK 9/30R57f33heKZ5xgqxgBdAHmtrh/13bTw0r6Sh/3izQyN+WGjiJqbpSnvuGtqaSB93gbpLK U8Px8VcaWOuY5WKkE2t/rSU5w27Kf72a79LWnSJ+l8jv1fFnhmigkqH0+QARAQABwsD2BBgB CAAgFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSYCGwwACgkQ7Lo6Jc7pimkY8Av+OGVS 59yLCXxr5UK3SPZrh8KcyQQdqqpMW7UDse8Fo6shXWL9VAh26gFhfaKo6seAHCeedSDhVvop FkoxpWM+TK8dEMZBD+Xru3gEhQW7lBGn45E0AHPIe/trXDidGRXC4HDJ1Xk8aavfGSBMnc6M nmwm23VjDXppKEhjk+iEUWwiDxzeahV63KkcWIXx/j+IBnXwMi7HkXEK5dVWP9kuM5d8soIb BbEZ2fl4IJNjy+SBWK6/fR+WgxfWLth5f/mIBm1nsF7UUXDjOS5ZR918cKtoK6VZaWZu/N6C aAVD4gZtOZCParum5cMx79ggrfQxOqVCcfmxM43aroOB6bElAe34t+F/cD9bxCVspJ37RsAW dS7rT7WyCfQPlP4Szf4XAQoVdfiszKPUdTCrnvMKHqnPP0JD6SmK67e1uF4gKZKs3X5qOiF6 CQZ+JBWAq4BxoUfqpkuPsD5m82P7eWO66SzztUJp5BJ47wRBdmGyizGb9Hc9ro+61/QeLCtD Yyjs
In-Reply-To: <CAMEWqGtO3zfnB9TVK-2ozOyhj+ROgjC1QOruckRFaw3ktYTGQg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Ht96jBqmPQV_VpoqGHqUhhINq9A>
Subject: Re: [Acme] Indicating scope in DNS validation label
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2023 08:46:30 -0000

while it's blunt tool current CAA issuewild record with whiltelist 
accounturi would able to do that, as issuewild overides issue.

2023-10-04 오후 4:59에 Q Misell 이(가) 쓴 글:
> Regardless of the inclusion of that paragraph in the BR I still think 
> it would be worthwhile to be able to limit a DNS based validation to 
> not issuing wildcards, should an admin so desire.
> ------------------------------------------------------------------------
>
> Any statements contained in this email are personal to the author and 
> are not necessarily the statements of the company unless specifically 
> stated. AS207960 Cyfyngedig, having a registered office at 13 
> Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca 
> Digital, is a company registered in Wales under № 12417574 
> <https://e.as207960.net/w4bdyj/Tuxjr0hL>, LEI 875500FXNCJPAPF3PD10. 
> ICO register №: ZA782876 <https://e.as207960.net/w4bdyj/w06IBwih>. UK 
> VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. 
> South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a 
> registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, 
> Lossi tn 1, 46001, trading as Glauca Digital, is a company registered 
> in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca 
> Digital and the Glauca logo are registered trademarks in the UK, under 
> № UK00003718474 and № UK00003718468, respectively.
>
>
>
> On Tue, 3 Oct 2023 at 20:04, Seo Suchan <tjtncks@gmail.com> wrote:
>
>     Because CA/B baseline DNS Change auth have this paragraph, I think
>     DNS admin should consider any DNS record there to be valid for
>     wildcard.
>
>>     Note: Once the FQDN has been validated using this method, the CA
>>     MAY also issue Certificates for
>>     other FQDNs that end with all the Domain Labels of the validated
>>     FQDN. This method is suitable
>>     for validating Wildcard Domain Names.
>
>     2023-10-03 오후 10:31에 Erik Nygren 이(가) 쓴 글:
>>     Within draft-ietf-dnsop-domain-verification-techniques
>>     <https://e.as207960.net/w4bdyj/KvYIoLDG> there is considerable
>>     discussion about the risks associated with DNS DCV records (such
>>     as ACME DNS-01) not being clear in the record about whether the
>>     scope applies to just a single hostname (example.com
>>     <https://e.as207960.net/w4bdyj/qLxR85iE>) or to a wildcard
>>     (*.example.com <https://e.as207960.net/w4bdyj/tcl3DZPh>). While
>>     DNS-01 has this within the token, the DNS TXT record itself only
>>     includes a hash of the token making this hard for a DNS admin to
>>     validate.
>>
>>     We have a proposed change to use distinct labels for different
>>     scopes.  For example:
>>
>>     * "`_acme-host-challenge.example.com
>>     <https://e.as207960.net/w4bdyj/JpqJjdxE>`" applies only to the
>>     specific host name of "example.com
>>     <https://e.as207960.net/w4bdyj/oHE7qkwz>" and not to anything
>>     underneath it.
>>     * "`_acme-wildcard-challenge.example.com
>>     <https://e.as207960.net/w4bdyj/xVMcJdIL>`" applies to all host
>>     names at the level immediately underneath "example.com
>>     <https://e.as207960.net/w4bdyj/K9ajyGUJ>". For example, it would
>>     apply to "foo.example.com
>>     <https://e.as207960.net/w4bdyj/t7IJuCyq>" but not "example.com
>>     <https://e.as207960.net/w4bdyj/zyBITmRO>" nor
>>     "quux.bar.example.com <https://e.as207960.net/w4bdyj/wvu0juZp>".
>>     In the ACME context this would be for *.example.com
>>     <https://e.as207960.net/w4bdyj/oirLEOAx>.
>>
>>     Pull request for this is here:
>>
>>     <http://goog_1991325217>
>>     https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/90/files
>>     <https://e.as207960.net/w4bdyj/awm4ssbi>
>>
>>     What is the sense of the ACME WG on if this would make sense?
>>     Roll-out would presumably take quite some time so both would need
>>     to keep working.
>>
>>     I'd suggest that it may make sense to incorporate as part of
>>     draft-ietf-acme-dns-account-challenge since the roll-out for both
>>     would likely follow a similar pattern.  In that case I'd proposed
>>     that we'd replace the "-account" in that draft with a
>>     specification to use either "-host" or "-wildcard" depending on
>>     scope. (That might also mean expanding the title of that draft.)
>>
>>     There's also a scope of the domain and its subdomains, covering
>>     example.com <https://e.as207960.net/w4bdyj/LVqv0vTq>,
>>     *.example.com <https://e.as207960.net/w4bdyj/cV3n3pfP>,
>>     *.*.example.com <https://e.as207960.net/w4bdyj/xHJHAQvD>,
>>     *.{...}.example.com <https://e.as207960.net/w4bdyj/gnFjNtwj>,
>>     etc, but this isn't something specified by ACME due to the
>>     semantics of wilcards X509 certs.
>>
>>         Erik
>>
>>
>>     _______________________________________________
>>
>>     Acme mailing list
>>
>>     Acme@ietf.org
>>
>>     https://www.ietf.org/mailman/listinfo/acme  <https://e.as207960.net/w4bdyj/eLTGHv1V>
>>
>     _______________________________________________
>     Acme mailing list
>     Acme@ietf.org
>     https://www.ietf.org/mailman/listinfo/acme
>     <https://e.as207960.net/w4bdyj/cbz6pd9N>
>

v2.23.0 | Report a Bug | By Email