Re: [Acme] Assisted-DNS challenge type

Alex Zorin <> Tue, 23 January 2018 02:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C6BA12D887 for <>; Mon, 22 Jan 2018 18:17:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=V64gZOJc; dkim=pass (2048-bit key) header.b=F7MIZBCt
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N7wZDnm4CKwb for <>; Mon, 22 Jan 2018 18:17:50 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5C9EA12D885 for <>; Mon, 22 Jan 2018 18:17:50 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id C451E20680 for <>; Mon, 22 Jan 2018 21:17:49 -0500 (EST)
Received: from web4 ([]) by compute7.internal (MEProxy); Mon, 22 Jan 2018 21:17:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=oaS9mrSdOvUy9/9M517B6bTqG/M7K Yee6W6BIHY2plc=; b=V64gZOJc+/yCs/I7NSNEl3RfqHlNPWGPsPSPbea5RDRy0 XqwBSAKiplgun91Ryp1EDGuO/VAQSNL1Xb+OvBnkQRWGSc1fYrNd5l2lfSsKfqST oOnM7cSyAlDrxEzDXiBcoEfhRFPxK9OIsAvBjdIwvYgLYQbuUBevmzBI6kaue5+F KAvSIuMNbpkoDCJpo6hNCd0YGFzoiCHiNGuu7m1kKDMpfJCQC8Pg0+2iJomXH//U VPk/ctK8DX7xOsGzDNZzwYQouRUPvNduA7gcCHhS4kGR/cRv/ytdwR7bZjDSvwBp ySmbXUQ4qmPsW4eRzD8XdNaU93C0nHjw43MgIQ9Cg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=oaS9mr SdOvUy9/9M517B6bTqG/M7KYee6W6BIHY2plc=; b=F7MIZBCtz3S7f8qQ7Fnj2B pCj8v2S/hbmp8eaXQ+N4I4/I/08+VBhChMyNM/99zYlHJZFen0A5WLh2Qt5a3EFL PFPQQ5P9zlfrqtLMH9DJ7Jg9wCWK8UktMjDe8MsK6Sink37M0pjnRxqsGcHso2oZ KV2e/xkEzFS2LiRPc1Cm3hDHEULebJ/AZEQHTIAI3bmYkjekCc64aVurnxztc6hv P+dnTelbqcYyDfiShB/VriLXoDFRuNU6gvpmzJtYnyFRlt9Cck6NtEFWkpfkopPd Qe68GqJuw3GztpR0gndaVuHftYdZZpMo1Bot0zD67aD8RmX2hCDcoaeb/kgDV9JQ ==
X-ME-Sender: <xms:TZtmWiLT7wEGK2ZtZMzitWvPQeQY2LYKWpZUJEw-j6GysuHOPLhh9g>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id A1314BA1AC; Mon, 22 Jan 2018 21:17:49 -0500 (EST)
Message-Id: <>
From: Alex Zorin <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: Webmail Interface - ajax-315c6b3a
In-Reply-To: <>
References: <>
Date: Tue, 23 Jan 2018 13:17:49 +1100
Archived-At: <>
Subject: Re: [Acme] Assisted-DNS challenge type
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jan 2018 02:19:25 -0000

Sounds great, this would lift a huge burden lifted from users. As noted by Joona in the "Trust and security" thread, foreseeable automation options for the existing DNS challenge are really lacking, and improvements there would either require a lot of retooling by e.g. DNS hosts, or convoluted solutions like end-users having to run their own ACME-DNS kinds of services.

One potential issue: there are number of DNS providers that do not permit underscores in CNAME (or NS for that matter) labels, whilst permitting them in TXT labels. It may be worthwhile to do a survey of DNS hosts of domains using Let's Encrypt to check what this looks like in the real world.

On Tue, Jan 23, 2018, at 12:09 PM, Jacob Hoffman-Andrews wrote:
> In
> effect, the CNAME record would act like a long-term delegation
> permitting the CA to issue continuously for the base domain.

I can imagine that this introduces a new risk of domain administrators "forgetting" about having made a long-term delegation of  _acme-challenge to the CA and unwittingly authorize an account key to issue certificates for any name longer than intended. Any need to mitigate this?