Re: [Acme] Indicating scope in DNS validation label
Q Misell <q@as207960.net> Wed, 04 October 2023 08:27 UTC
Return-Path: <q@as207960.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A199C15155E for <acme@ietfa.amsl.com>; Wed, 4 Oct 2023 01:27:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NO_DNS_FOR_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nncH3XTlgbda for <acme@ietfa.amsl.com>; Wed, 4 Oct 2023 01:27:50 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5B8C151087 for <acme@ietf.org>; Wed, 4 Oct 2023 01:27:36 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-9a645e54806so330343466b.0 for <acme@ietf.org>; Wed, 04 Oct 2023 01:27:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1696408050; x=1697012850; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2Ks6hOnyKwLnW1JWK43FWWzcVZBZjhZX8Q3f7dTYOvQ=; b=c4s+SDYiN+IYL1WPS3zyAQ5zbqHbJbKCy1fn9MDD68s4A0HvlRuCM+LiGeGVRUtfb+ T+YQCX13+hUugIx6YcqGt+GufvrJ27atzbB3/soFZZwylhEtJtyTQj8RmyK0u7+eZa/i PL+uEqhmADlDfM6pbgJakxBfvSpfTPofyZk+ayuhXyVttndpf41HWMS+gJNC04YxV19l J6STGgzx8c5kMPDsmZ4m+B2tvY1r7/FIzELncpwaQNwPEyD8RkasCpM+nvCTd3rHVP1d oP62XLdSYKmgo3ErjZKgODriqAhCEg29qWxg5ejvQDKMZvV/2I/b5t21wzg9icl5ezWo xqPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696408050; x=1697012850; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2Ks6hOnyKwLnW1JWK43FWWzcVZBZjhZX8Q3f7dTYOvQ=; b=A8oZhu/aLmo3LOqdZzJAl6fsHW9P+zU+hQtiG6MRc6MMYglNTe6MV/nqP7nBM7+RfC wGyDsiVvpVL1RIyqzYjZRDzHfd0P7OOQFxd9AWdTU72NWVB+7VdAaQowyMDmEs9Br04s naAWM2QhWD4U9pnpNUWAnMk1ffqZOmljgz5mnAXdSo5+YQ+PsPNqZNMibNTr2qS8TrEk tZ/ckC34hlaaEONsuRItNMU/ChLcl185rmCxNJ0L/3WTVPSPjcqxdeVJeZqQapQzJI+s oUuUMmvNZ9DYVYdLbxicqNo0jyP+YvmuM+XpglDRxgh8hX8ItCPi1gEwMpM5dHONpAnm t9IA==
X-Gm-Message-State: AOJu0YyFvDp14vZqcKAoUadcl7s/DUwoQuNo4kooll3Q8fJLHsrsd0uc DucuUj2scHv6XBBTUPHBBUFwXyMwBL99844t1tr3Ng==
X-Google-Smtp-Source: AGHT+IH1XcPDPzjPCyQdtotOBCITrq2qwM9WtI3J/+4dz4L5tNZxmJFrcC458gSD9MUUl7XKHXUx5j4Zx7D7SjuIfXo=
X-Received: by 2002:a17:906:97:b0:9ad:7d5c:52f5 with SMTP id 23-20020a170906009700b009ad7d5c52f5mr1356510ejc.75.1696408049591; Wed, 04 Oct 2023 01:27:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJib1cE5d=NcJVbv1bO+fXs=5KTrodrHoWkJ3h-ZD1wmpQ@mail.gmail.com> <b46133ac-73ba-45f9-ac22-1d5c4de8e6d8@gmail.com>
In-Reply-To: <b46133ac-73ba-45f9-ac22-1d5c4de8e6d8@gmail.com>
From: Q Misell <q@as207960.net>
Date: Wed, 04 Oct 2023 09:26:53 +0100
Message-ID: <CAMEWqGuAAFHOEUYTw=rK6=j+Aat5VdKg-7tt19CT13H_zHd4iQ@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: Erik Nygren <erik+ietf@nygren.org>, draft-ietf-dnsop-domain-verification-techniques@ietf.org, acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000030bf830606dfc795"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Jsgq3vBlU584fPCbwIrRla7Z39A>
Subject: Re: [Acme] Indicating scope in DNS validation label
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2023 08:27:55 -0000
Regardless of the inclusion of that paragraph in the BR I still think it would be worthwhile to be able to limit a DNS based validation to not issuing wildcards, should an admin so desire. ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Tue, 3 Oct 2023 at 20:04, Seo Suchan <tjtncks@gmail.com> wrote: > Because CA/B baseline DNS Change auth have this paragraph, I think DNS > admin should consider any DNS record there to be valid for wildcard. > > Note: Once the FQDN has been validated using this method, the CA MAY also > issue Certificates for > other FQDNs that end with all the Domain Labels of the validated FQDN. > This method is suitable > for validating Wildcard Domain Names. > > > 2023-10-03 오후 10:31에 Erik Nygren 이(가) 쓴 글: > > Within draft-ietf-dnsop-domain-verification-techniques > <https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques> > there is considerable discussion about the risks associated with DNS DCV > records (such as ACME DNS-01) not being clear in the record about whether > the scope applies to just a single hostname (example.com) or to a > wildcard (*.example.com). While DNS-01 has this within the token, the > DNS TXT record itself only includes a hash of the token making this hard > for a DNS admin to validate. > > We have a proposed change to use distinct labels for different scopes. > For example: > > * "`_acme-host-challenge.example.com`" applies only to the specific host > name of "example.com" and not to anything underneath it. > * "`_acme-wildcard-challenge.example.com`" applies to all host names at > the level immediately underneath "example.com". For example, it would > apply to "foo.example.com" but not "example.com" nor "quux.bar.example.com". > In the ACME context this would be for *.example.com. > > Pull request for this is here: > > <http://goog_1991325217> > > https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/90/files > > What is the sense of the ACME WG on if this would make sense? Roll-out > would presumably take quite some time so both would need to keep working. > > I'd suggest that it may make sense to incorporate as part of > draft-ietf-acme-dns-account-challenge since the roll-out for both would > likely follow a similar pattern. In that case I'd proposed that we'd > replace the "-account" in that draft with a specification to use either > "-host" or "-wildcard" depending on scope. (That might also mean expanding > the title of that draft.) > > There's also a scope of the domain and its subdomains, covering > example.com, *.example.com, *.*.example.com, *.{...}.example.com, etc, > but this isn't something specified by ACME due to the semantics of wilcards > X509 certs. > > Erik > > > _______________________________________________ > Acme mailing listAcme@ietf.orghttps://www.ietf.org/mailman/listinfo/acme > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Indicating scope in DNS validation label Erik Nygren
- Re: [Acme] Indicating scope in DNS validation lab… Seo Suchan
- Re: [Acme] Indicating scope in DNS validation lab… Seo Suchan
- Re: [Acme] Indicating scope in DNS validation lab… Q Misell
- Re: [Acme] Indicating scope in DNS validation lab… Erik Nygren
- Re: [Acme] Indicating scope in DNS validation lab… Amir Omidi
- Re: [Acme] Indicating scope in DNS validation lab… Erik Nygren