Re: [Acme] Assisted-DNS challenge type

Alan Doherty <ietf@alandoherty.net> Thu, 25 January 2018 00:38 UTC

Return-Path: <ietf@alandoherty.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 653A612D864 for <acme@ietfa.amsl.com>; Wed, 24 Jan 2018 16:38:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaBYZJ7dDKae for <acme@ietfa.amsl.com>; Wed, 24 Jan 2018 16:38:43 -0800 (PST)
Received: from bigsvr.orionnetworks.ie (hosting.orionnetworks.ie [195.2.202.63]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC7412D869 for <acme@ietf.org>; Wed, 24 Jan 2018 16:38:43 -0800 (PST)
Received: from host249.freudenhaus.alandoherty.net ([193.120.128.249]:4790 helo=alans-p4.alandoherty.net) by bigsvr.orionnetworks.ie with esmtpsa(TLSv1:DHE-RSA-AES256-SHA:256) (auth-as tel1) (nexus 1.3.4.80.1) (envelope-from <ietf@alandoherty.net>) id 1eeVYs-00084z-I7 ; Thu, 25 Jan 2018 00:38:40 +0000
X-AD-RPFS-HEAD: for info on below codes http://www.alandoherty.net/mailsystem/mail-tagging/
X-AD-RPFS-GOOD-0: AV-SCAN-PASS SA-SCORE--1.6 SA-BAR-(-)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 25 Jan 2018 00:38:35 +0000
To: Jacob Hoffman-Andrews <jsha@eff.org>,"acme@ietf.org" <acme@ietf.org>
From: Alan Doherty <ietf@alandoherty.net>
In-Reply-To: <bbaea6b0-65dc-9dff-0a23-e55e6eebb580@eff.org>
References: <bbaea6b0-65dc-9dff-0a23-e55e6eebb580@eff.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <E1eeVYs-00084z-I7@bigsvr.orionnetworks.ie>
X-VIRUS: NONE {no virus found, This is no guarentee}
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/UQLqe9In36He4aQ32hg04uyvbqs>
Subject: Re: [Acme] Assisted-DNS challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2018 00:38:46 -0000

but then if example.com sets up such a record

pointed at letsencrypt (or other)

how does my client (or theirs)
ever prove which is actually a legitimate applicant for certs for example.com??

the idea of a challenge is its only known to the client that requested the cert
thus has to be returned to the CA by the client via DNS/http whatever

now if you were to suggest the CA(or any other third party) provide a dns api to modify/update 1234.challenges.whoever.example.net. txt records

thus client receives challenge modifies the dynamic zone 1234.challenges.whoever.example.net.

thus proves to acme server following the cname it does control the zone that cnamed there

if so normal dns-01 does follow cnames? (dosn't it)

thus all you need to do is find a dns provider thats api is supported by your chosen letencrypt client
delegate a subdomain to them challenges.yourdomain.net, cname challenges to that zone and get your le client to update the txt when challenges received?

or just delegate directly _acme-cahallenges.yourdomain.net to that provider cut out the cnames entirely ;)




At 01:09 23/01/2018  Tuesday, Jacob Hoffman-Andrews wrote:
>Inspired by a thread on Let's Encrypt's community forum (https://community.letsencrypt.org/t/suggestion-lets-encrypt-operated-txt-only-dns-hosting-for-dns-challenges/50399/1), I'd like to propose a new challenge type, "assisted-dns-01". The existing DNS challenge is good for a number of reasons, but it has a couple of key problems: Â - It's hard to automate, and many DNS providers may offer no automation at all. Â - Automating it may mean putting DNS credentials on a web frontend, which may increase risk. To fix that, the CA could assist the user by providing narrowly-scoped DNS hosting: It would serve only TXT records used in validating DNS challenges. The CA instruct subscribers to delegate the _acme-challenge subdomain to a subdomain of the CA's hosted DNS domain. For instance, if a subscriber has account number 1234, the CA would say: Please deploy a CNAME record like so: _acme-challenge.example.com. CNAME 1234.challenges.ca.example.net. The assisted-dns-01 challenge would th
en be validated like dns-01, except: As the first step in validation, the CA would deploy the expected TXT value at 1234.challenges.ca.example.net. Then the CA would continue to look up "TXT _acme-challenge.example.com." In a way, fetching final TXT record would be a formality: the CA could in theory stop once it saw the CNAME pointed at the right location, though most likely abiding by the terms of the BRs would require following the formal lookup steps. This challenge has the big advantage that subscribers only need to do a one-time CNAME setup, and renewals can be reliably automated without requiring that renewing systems have permission to update DNS. In effect, the CNAME record would act like a long-term delegation permitting the CA to issue continuously for the base domain. The challenge object would contain a field telling the client what the CNAME target should be. Based on this, clients can check the existing DNS and prompt a user to add the CNAME if needed, or continue a
utomatically if it's already present. Example assisted-dns-01 challenge: {   "type": "assisted-dns-01",   "token": "abc123",   "cnameTarget": "1234.challenges.ca.example.net.", } If people think this challenge type has merit, my proposal is that it be part of an extension document, not part of the core ACME doc. Credit to Joona Hoikkala, Matt Nordhoff, and forum user @_az for helping to develop this concept.    _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme