Re: [Acme] dns-01 challenge limitations

Kas <> Sun, 13 September 2020 09:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6FDD23A0B8A for <>; Sun, 13 Sep 2020 02:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.047
X-Spam-Status: No, score=-3.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DHv3Ka1KHcws for <>; Sun, 13 Sep 2020 02:42:33 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 388C83A0ABC for <>; Sun, 13 Sep 2020 02:42:33 -0700 (PDT)
dkim-signature: v=1; a=rsa-sha256;; s=rsakey; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding:In-Reply-To:References; bh=NdwL4siEoJoykHIUJ0ihRHwHjWUkE3uoCx1v6U26Gp0=; b=Vm3pXtcH2/wsE8I/TKhfTIRjgc3c3j9EWSZ9J80d4+5uGKphlEmsiGgyjjAWO+dgc5oR0iWiw/0IUBTuM6fAbmXFfCs/qyKDB9y0G3UKrIdxV61P5G4sc5e82tRslNAWGXjufiN7PnoYCwlWUR7tLp/FyZpyZxG+ONVp4GjVig6YD7n6Ct4b3odfMCqkTx3SZ6hy1UmSYphsDEwIHqrl8oMDDhVVLQCRDYzULu+DNHSd97MOW9ChKX5TUP BveGJm9sjjBoOgkwccMGSNyGAxKD2A65Ii8w2EGFeHKlQWBObgqZ8N1OwB/YNNqaWGh+yynoQsuhyBAaSLmJpOtdjJIQ==
Received: from [] (Unknown []) by with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128) ; Sun, 13 Sep 2020 12:42:26 +0300
To: Simon Ser <>, "" <>
References: <> <> <> <> <> <>
From: Kas <>
Message-ID: <>
Date: Sun, 13 Sep 2020 12:42:02 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Acme] dns-01 challenge limitations
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 13 Sep 2020 09:42:35 -0000

On 9/13/2020 12:13 PM, Simon Ser wrote:
> Ultimately, ACME clients need a way to update DNS records to solve the dns-01
> challenge. Ignoring and pushing the problem down to the DNS operators does not
> fix the root cause.
I can't agree more, so what about going after dns-02 challenge instead 
of trying to fix this ?

(And this is up for discussion and as food for thought.)
Lets say dns-02 challenge will be little different where the DNS record 
will hold a public key for specific(or per) domain/subdomain and ACME 
client will pass the server challenge by using the correspondent private 
key for that public key to pass the challenge from the server, where 
server will verify against the DNS published public key, means no DNS 
access from client side at the time of the challenge itself.

This might solve the need for DNS API or even accessing the DNS from the 
client altogether, this will solve and simplify the challenge while do 
not compromise the security of the challenge itself and will not 
compromise the DNS records for the DNS administrators piece in mind, on 
contrary it will give the ability to control DNS handling on the client 
side in more secure way, and yet if a client have the ability to change 
the public key then this will revert to something very similar to 
dns-01, so in that case ( when it can access and modify the DNS records) 
client can choose between dns-01 and dns-02, which i don't see need any 
discussing more that dns-01 itself.

Is such challenge viable and secure ? did i missed something obvious 
with such suggestion ?