Re: [Acme] Clarity: DNS validation domain delegated to another zone
Michael Wyraz <michael@wyraz.de> Tue, 09 February 2016 20:54 UTC
Return-Path: <michael@wyraz.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB5C1AD49D for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 12:54:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MlvIebauAcrN for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 12:54:46 -0800 (PST)
Received: from mail.wyraz.de (web.wyraz.de [37.120.164.129]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 032241AD364 for <acme@ietf.org>; Tue, 9 Feb 2016 12:54:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.wyraz.de (Postfix) with ESMTP id 26F8FA3116 for <acme@ietf.org>; Tue, 9 Feb 2016 21:54:43 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at web.wyraz.de
Received: from mail.wyraz.de ([127.0.0.1]) by localhost (web.wyraz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olfefMR3ifSL for <acme@ietf.org>; Tue, 9 Feb 2016 21:54:42 +0100 (CET)
Received: from [192.168.1.200] (p578521F0.dip0.t-ipconnect.de [87.133.33.240]) (Authenticated sender: michael@wyraz.de) by mail.wyraz.de (Postfix) with ESMTPSA id 21661A30C7 for <acme@ietf.org>; Tue, 9 Feb 2016 21:54:42 +0100 (CET)
From: Michael Wyraz <michael@wyraz.de>
To: acme@ietf.org
References: <CA+MmhbOv-QF2efXyaXin15OKuhaV3iwza-tzcUyDAwwm8-yB5Q@mail.gmail.com>
Message-ID: <56BA5210.3060606@wyraz.de>
Date: Tue, 09 Feb 2016 21:54:40 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CA+MmhbOv-QF2efXyaXin15OKuhaV3iwza-tzcUyDAwwm8-yB5Q@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="e1MfjtvafDLen5uJ0jUM7d4cO2VN4IEcQ"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/ScTGMXKq3lYjEISsaaCkhOmhbqo>
Subject: Re: [Acme] Clarity: DNS validation domain delegated to another zone
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 20:54:52 -0000
Hello Jan, IMO it makes no difference weather the one who manages the domain creates a _acme-challenge.foo.bar.com TXT or NS record to delegate this to a trusted destination. Furthermore, the domain admin delegates the "has authority over the identifier being claimed" explicitly to this dns - so if the client can demonstrate the control over it, it should satisfy the spec. It's very unlikely that someone accidently delegates "_acme-challenge.something" because it's not a valid domain name (in fact I could not even delegate it by intent for some of my domains because the domain name is rejected by most of my domain registrar's nameserver tools). > Hello everyone, > > we are discussing whether it is technically legal to validate the DNS > challenge TXT record when the validation domain is delegated away from > the domain to a different zone. > > Scenario: a certificate request for domain = "foo.bar.com > <http://foo.bar.com>", which would have fqdn = > "_acme-challenge.foo.bar.com <http://acme-challenge.foo.bar.com>". > > Assuming bar.com <http://bar.com> IN NS ns1.bar.com <http://ns1.bar.com> > > which has a record > > _acme-challenge.foo.bar.com <http://acme-challenge.foo.bar.com> IN NS > ns.confusion.party > > and ns.confusion.party has the record > > _acme-challenge.foo.bar.com <http://acme-challenge.foo.bar.com> IN TXT > "keyauth" > > The spec stipulates that: > > "the client must demonstrate to the server both (1) that it holds the > private key of the account key pair, and (2) that it has authority > over the identifier being claimed." > > One could argue that requirement (2) is not satisfied when the > validation domain is delegated away from the domain: Creating a record > under the validation domain is not indicative of control/authority of > the (parent) certificate domain. > > On the other hand, the spec does not specifically exclude this scenario. > > Thoughts? > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Clarity: DNS validation domain delegated t… Jan Broer
- Re: [Acme] Clarity: DNS validation domain delegat… Michael Wyraz
- Re: [Acme] Clarity: DNS validation domain delegat… Michael Wyraz
- Re: [Acme] Clarity: DNS validation domain delegat… Ted Hardie