IETF Logo Mail Archive

Re: [Acme] Indicating scope in DNS validation label

Erik Nygren <erik+ietf@nygren.org> Sun, 12 November 2023 13:47 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7682DC1705FA; Sun, 12 Nov 2023 05:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.406
X-Spam-Level:
X-Spam-Status: No, score=-1.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id koZuaETAUROn; Sun, 12 Nov 2023 05:47:43 -0800 (PST)
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4590C1705EE; Sun, 12 Nov 2023 05:47:43 -0800 (PST)
Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-33139ecdca7so1357476f8f.0; Sun, 12 Nov 2023 05:47:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699796862; x=1700401662; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MeoIb2oob525OtOH28KaJ/r9QdlqGvE41loRRNhYvPQ=; b=CZ1olaTN3FxCfJV4CsrZ/aN4dTnzi64wrBUppwenrccysH42HduJdRd64WZqrgn7x3 3W6qZIVc9t6IywY2Ju6gq1jd6xyro5wWTQcY9t43GG9oZ4RT2yuEV5c9MhM6dYVgQi8o I5epJcSELQ/tITuf36pqawpwTJatgzmcsIh+oYRzz7sRTrWHOsS7Q4U6T1vLvZpTadsg 3cQrNBErSMgo26AjOOKyQqx7mfN85WAvjZ3Pd/bJpQc7tGcgz6kJgciIZ51uw2sWH4Ai 7QbVz3LpYs+vqPp9Xn92nuPkebY8xCeV1mAxteLqeIoVCjC2wLVf/dbPHmE5iNvQXBxQ nDnA==
X-Gm-Message-State: AOJu0YyMDuPXzk4PFPfBznsDF99YsM9PcBZF/mGD9Ov6MM2xo8UyGkTl ZzMY1+3hErMltU22crc2YnEr4Ri/926rw1Q06DM=
X-Google-Smtp-Source: AGHT+IFRD7f1uXzryF5nRjmLSyHWO+KAJjFn59HRR2aHhpixr7BKsdfpVDIgrOJTphSPds3ZNa4e6wW3WyNEaMm4kO8=
X-Received: by 2002:a5d:584c:0:b0:32f:7e1d:f039 with SMTP id i12-20020a5d584c000000b0032f7e1df039mr3171089wrf.46.1699796861716; Sun, 12 Nov 2023 05:47:41 -0800 (PST)
MIME-Version: 1.0
References: <CAKC-DJib1cE5d=NcJVbv1bO+fXs=5KTrodrHoWkJ3h-ZD1wmpQ@mail.gmail.com> <b46133ac-73ba-45f9-ac22-1d5c4de8e6d8@gmail.com> <CAMEWqGtO3zfnB9TVK-2ozOyhj+ROgjC1QOruckRFaw3ktYTGQg@mail.gmail.com> <e6937847-201c-4762-b323-3f7446caeffb@gmail.com>
In-Reply-To: <e6937847-201c-4762-b323-3f7446caeffb@gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Sun, 12 Nov 2023 08:47:30 -0500
Message-ID: <CAKC-DJhUTv=hqW3=3ABiRJm5-Nhockc2tiB5TBk2xksToh=Y2g@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: Q Misell <q@as207960.net>, "acme@ietf.org" <acme@ietf.org>, draft-ietf-dnsop-domain-verification-techniques@ietf.org
Content-Type: multipart/alternative; boundary="000000000000220f7e0609f4ccc0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TEYrcV7dRQ_bYuOqFXyXRpquxfI>
Subject: Re: [Acme] Indicating scope in DNS validation label
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2023 13:47:47 -0000

CAA can help, but agreed that it's a blunt tool and only part of the
ecosystem.

it would be preferable to differentiate within the DV record being added to
the zone,
especially as there could be cases where both an exact cert and a wildcard
cert may
be desirable for a zone.  The DNS operator of the zone (or any automation
framework that authorizes access) which is adding the record should
preferably
be able to distinguish what name(s) is/are being validated.  Including this
in the ACME label name would give zone operators better control.

This would enable CA operators to give better controls to their customers
so would not be in conflict with the MAY in the BR.  (Although if we had a
better
ecosystem here it might make sense to tighten the BR at some point.)
In the interim, CAA along with such a differentiation could be used
by zone operators to limit allowed CAs to only those who support this
differentiation feature, which is the scope/intent of CAA.

     Erik





On Wed, Oct 4, 2023 at 4:46 AM Seo Suchan <tjtncks@gmail.com> wrote:

> while it's blunt tool current CAA issuewild record with whiltelist
> accounturi would able to do that, as issuewild overides issue.
> 2023-10-04 오후 4:59에 Q Misell 이(가) 쓴 글:
>
> Regardless of the inclusion of that paragraph in the BR I still think it
> would be worthwhile to be able to limit a DNS based validation to not
> issuing wildcards, should an admin so desire.
> ------------------------------
>
> Any statements contained in this email are personal to the author and are
> not necessarily the statements of the company unless specifically stated.
> AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
> Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
> registered in Wales under № 12417574
> <https://e.as207960.net/w4bdyj/Tuxjr0hL>, LEI 875500FXNCJPAPF3PD10. ICO
> register №: ZA782876 <https://e.as207960.net/w4bdyj/w06IBwih>. UK VAT №:
> GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean
> VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at
> Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as
> Glauca Digital, is a company registered in Estonia under № 16755226.
> Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are
> registered trademarks in the UK, under № UK00003718474 and № UK00003718468,
> respectively.
>
>
> On Tue, 3 Oct 2023 at 20:04, Seo Suchan <tjtncks@gmail.com> wrote:
>
>> Because CA/B baseline DNS Change auth have this paragraph, I think DNS
>> admin should consider any DNS record there to be valid for wildcard.
>>
>> Note: Once the FQDN has been validated using this method, the CA MAY also
>> issue Certificates for
>> other FQDNs that end with all the Domain Labels of the validated FQDN.
>> This method is suitable
>> for validating Wildcard Domain Names.
>>
>>
>> 2023-10-03 오후 10:31에 Erik Nygren 이(가) 쓴 글:
>>
>> Within draft-ietf-dnsop-domain-verification-techniques
>> <https://e.as207960.net/w4bdyj/KvYIoLDG> there is considerable
>> discussion about the risks associated with DNS DCV records (such as ACME
>> DNS-01) not being clear in the record about whether the scope applies to
>> just a single hostname (example.com
>> <https://e.as207960.net/w4bdyj/qLxR85iE>) or to a wildcard (*.example.com
>> <https://e.as207960.net/w4bdyj/tcl3DZPh>).  While DNS-01 has this within
>> the token, the DNS TXT record itself only includes a hash of the token
>> making this hard for a DNS admin to validate.
>>
>> We have a proposed change to use distinct labels for different scopes.
>> For example:
>>
>> * "`_acme-host-challenge.example.com
>> <https://e.as207960.net/w4bdyj/JpqJjdxE>`" applies only to the specific
>> host name of "example.com <https://e.as207960.net/w4bdyj/oHE7qkwz>" and
>> not to anything underneath it.
>> * "`_acme-wildcard-challenge.example.com
>> <https://e.as207960.net/w4bdyj/xVMcJdIL>`" applies to all host names at
>> the level immediately underneath "example.com
>> <https://e.as207960.net/w4bdyj/K9ajyGUJ>". For example, it would apply
>> to "foo.example.com <https://e.as207960.net/w4bdyj/t7IJuCyq>" but not "
>> example.com <https://e.as207960.net/w4bdyj/zyBITmRO>" nor "
>> quux.bar.example.com <https://e.as207960.net/w4bdyj/wvu0juZp>".  In the
>> ACME context this would be for *.example.com
>> <https://e.as207960.net/w4bdyj/oirLEOAx>.
>>
>> Pull request for this is here:
>>
>> <http://goog_1991325217>
>>
>> https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/90/files
>> <https://e.as207960.net/w4bdyj/awm4ssbi>
>>
>> What is the sense of the ACME WG on if this would make sense?  Roll-out
>> would presumably take quite some time so both would need to keep working.
>>
>> I'd suggest that it may make sense to incorporate as part of
>> draft-ietf-acme-dns-account-challenge since the roll-out for both would
>> likely follow a similar pattern.  In that case I'd proposed that we'd
>> replace the "-account" in that draft with a specification to use either
>> "-host" or "-wildcard" depending on scope.  (That might also mean expanding
>> the title of that draft.)
>>
>> There's also a scope of the domain and its subdomains, covering
>> example.com <https://e.as207960.net/w4bdyj/LVqv0vTq>, *.example.com
>> <https://e.as207960.net/w4bdyj/cV3n3pfP>, *.*.example.com
>> <https://e.as207960.net/w4bdyj/xHJHAQvD>, *.{...}.example.com
>> <https://e.as207960.net/w4bdyj/gnFjNtwj>, etc, but this isn't something
>> specified by ACME due to the semantics of wilcards X509 certs.
>>
>>     Erik
>>
>>
>> _______________________________________________
>>
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme <https://e.as207960.net/w4bdyj/eLTGHv1V>
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>> <https://e.as207960.net/w4bdyj/cbz6pd9N>
>>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email