Re: [Acme] Assisted-DNS challenge type

Alan Doherty <> Thu, 25 January 2018 00:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 653A612D864 for <>; Wed, 24 Jan 2018 16:38:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zaBYZJ7dDKae for <>; Wed, 24 Jan 2018 16:38:43 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4BC7412D869 for <>; Wed, 24 Jan 2018 16:38:43 -0800 (PST)
Received: from ([]:4790 by with esmtpsa(TLSv1:DHE-RSA-AES256-SHA:256) (auth-as tel1) (nexus (envelope-from <>) id 1eeVYs-00084z-I7 ; Thu, 25 Jan 2018 00:38:40 +0000
X-AD-RPFS-HEAD: for info on below codes
X-Mailer: QUALCOMM Windows Eudora Version
Date: Thu, 25 Jan 2018 00:38:35 +0000
To: Jacob Hoffman-Andrews <>,"" <>
From: Alan Doherty <>
In-Reply-To: <>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <>
X-VIRUS: NONE {no virus found, This is no guarentee}
Archived-At: <>
Subject: Re: [Acme] Assisted-DNS challenge type
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Jan 2018 00:38:46 -0000

but then if sets up such a record

pointed at letsencrypt (or other)

how does my client (or theirs)
ever prove which is actually a legitimate applicant for certs for

the idea of a challenge is its only known to the client that requested the cert
thus has to be returned to the CA by the client via DNS/http whatever

now if you were to suggest the CA(or any other third party) provide a dns api to modify/update txt records

thus client receives challenge modifies the dynamic zone

thus proves to acme server following the cname it does control the zone that cnamed there

if so normal dns-01 does follow cnames? (dosn't it)

thus all you need to do is find a dns provider thats api is supported by your chosen letencrypt client
delegate a subdomain to them, cname challenges to that zone and get your le client to update the txt when challenges received?

or just delegate directly to that provider cut out the cnames entirely ;)

At 01:09 23/01/2018  Tuesday, Jacob Hoffman-Andrews wrote:
>Inspired by a thread on Let's Encrypt's community forum (, I'd like to propose a new challenge type, "assisted-dns-01". The existing DNS challenge is good for a number of reasons, but it has a couple of key problems: Â - It's hard to automate, and many DNS providers may offer no automation at all. Â - Automating it may mean putting DNS credentials on a web frontend, which may increase risk. To fix that, the CA could assist the user by providing narrowly-scoped DNS hosting: It would serve only TXT records used in validating DNS challenges. The CA instruct subscribers to delegate the _acme-challenge subdomain to a subdomain of the CA's hosted DNS domain. For instance, if a subscriber has account number 1234, the CA would say: Please deploy a CNAME record like so: CNAME The assisted-dns-01 challenge would th
en be validated like dns-01, except: As the first step in validation, the CA would deploy the expected TXT value at Then the CA would continue to look up "TXT" In a way, fetching final TXT record would be a formality: the CA could in theory stop once it saw the CNAME pointed at the right location, though most likely abiding by the terms of the BRs would require following the formal lookup steps. This challenge has the big advantage that subscribers only need to do a one-time CNAME setup, and renewals can be reliably automated without requiring that renewing systems have permission to update DNS. In effect, the CNAME record would act like a long-term delegation permitting the CA to issue continuously for the base domain. The challenge object would contain a field telling the client what the CNAME target should be. Based on this, clients can check the existing DNS and prompt a user to add the CNAME if needed, or continue a
utomatically if it's already present. Example assisted-dns-01 challenge: {   "type": "assisted-dns-01",   "token": "abc123",   "cnameTarget": "", } If people think this challenge type has merit, my proposal is that it be part of an extension document, not part of the core ACME doc. Credit to Joona Hoikkala, Matt Nordhoff, and forum user @_az for helping to develop this concept.    _______________________________________________ Acme mailing list