Re: [Acme] dns-01 challenge limitations
Patrik Wallström <pawal@amplitut.de> Fri, 11 September 2020 13:41 UTC
Return-Path: <pawal@amplitut.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096B53A079F for <acme@ietfa.amsl.com>; Fri, 11 Sep 2020 06:41:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mf-I26QU2x6c for <acme@ietfa.amsl.com>; Fri, 11 Sep 2020 06:41:03 -0700 (PDT)
Received: from mail.tset.se (vic20.blipp.com [192.195.142.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32B6D3A0400 for <acme@ietf.org>; Fri, 11 Sep 2020 06:41:03 -0700 (PDT)
To: Simon Ser <contact@emersion.fr>
Cc: Felipe Gasper <felipe@felipegasper.com>, "Matthew.Holt@gmail.com" <Matthew.Holt@gmail.com>, "acme@ietf.org" <acme@ietf.org>
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <394568F0-00BD-4789-8CF4-C1A00A078B6E@felipegasper.com> <uTb0VcadGuNvEnDsg15ER29Kge26GImPfZ-JqS6iFkGXEn4DOFmq8V-hAb32lZNpv6r5rtfrZn6pihdDQkyts_I6BK4tni8CNMYC2RgSorU=@emersion.fr>
From: Patrik Wallström <pawal@amplitut.de>
Autocrypt: addr=pawal@amplitut.de; keydata= mQINBF2Yd70BEAC3Gn4GwpnH33f+1UZVC+h2biB2IseJ8JjwF1ks0fAPQnXMpioBIO1xE9kB mJe3jUHpSFwpVBCHX5HzCi/bRQSUmbVG1KWXsuI2E1TriWZnVqdD3mjbehlupn986dhteFuk YFgXTJMq7i2bGNiM8ysn2D9dGQh4um8QT9JUswjwR4VdTbeIH6SjZaApGM5z+znyDSyKl83B WuIN1xaj7wdrcHZVwDCoiulo8VYVxhOS9uJcvix81NxomHnD1nC80vSsEHGvOTbZSf02JZ5e cHdFh5ghCrRa6j5QZxecaHTszwCbSKzLzWRMNn24Srb3obemQJ2VC6ycmH1vcDmvk5THs+Do yZ2fAjT1atX3MpBAiaGcRfQVonjBbsgqyLslLYFRQglCS7+hiJyoy5rRn1KzBrG/DrUoGtwb YwiJGGrIL6lauMLHRdvUq9UGinUp1d9a47UCRmmaHt34M8dQ5WqbrmbY/To1kAu9r9bDY4r+ 5wvGq3kFVuv89czo1CXJyX4o9MtPL7vmhbHOdXJVvt00ibecp2nZYot5rKx9lcqf7GvhDwWs 5B4HBuBajw4ri0IX9oxgZmBgw42hy/m8sp7gOaiNjWWxz/QNUlfSppJCbQjKzExr1ClTlzIk Xo3S3uSIq0ZiweVwooBS4dNjT2fMqdmvrn897tlozh5mBlHK0wARAQABtCRQYXRyaWsgV2Fs bHN0cm9tIDxwYXdhbEBhbXBsaXR1dC5kZT6JAlcEEwEKAEECGwMFCQPCZwAFCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AWIQT6Fb744dD3QyixDjRbBaGDCbmS6gUCXZh/5gIZAQAKCRBbBaGD CbmS6rQxD/9sLnbuMeZ6S02aAgkv81797V0ebTrlBOv0uvtj8stIZyscpEvop7/7eGXAVG4b VdrSWOEwLaOw4S7E82ribock3Ewa91zzx6gnioENplukNWliOT3Ss8DZ70tngSmaE64xXUkC DgrxyQ8f7yZmNYunqolGb8hCbfbnvQ5HwoSwW95FTrsBWOHU+/ymWQnG6BqZowom+olDm0It GAt/meKy17qGwal2KFIVBXpFVIGEFciCm5RnZvmZwdwwvjsA11540ZAjuWRuYZUB1jDRrK5i C7FjumX8TJhlraZHpQhgwhHaDfyCtOqM6gh7iEYaiMthNnyFw5E+QRPW5g9UwgwN1TevX/On zVXObVeDgqH8gAMioCiaJytNr145dWlGpg+PNDF1kbQeKuDz7A9KFuHDi5yCz+5CA51hlCrD vaJazcSwQ0BmG4yXev7wePuV7LCy79c6T2sZVDBcy5F6CkJA8Th6N8efxGS5bsuInpeK0aU7 zDJYE0WNSVciqurppd/aOektSd2WCMwXZmixFDW4ybEwUoZMfoESeWBJhsGw7OfCxc+AIh+M rR/pzn8PYW1oKYSn7b+hdlBy+zNuMhNqVLyYEVazKr2GqHXCNJQKl04I4XG3EIvdL1I1d0TV OsZsD+ykxVXMczxvs7A4bQOxApPpT9+4BoeJvIh6PhAz+rkCDQRdmHe9ARAApjdWso69tuxP 8SXChNHh0ODxScURtrceDSur52uYcftK053ZAiEh3Bx9f5PGwwjYdkcw/guJkPNpbTOiEhIQ +8HhTFFXDc0cLD2KQo2WGjdVf5NPXnQdJfuMk70xiReKtuqHZLVNFEI4c3XpFAwZ4G8FeYFZ fNEFCBx38uOCsVm8OahGURNvdbxq//pfz5CfXtVSd7oWjTzjdPHT/Rxcy8iUvF/0YWyU43Bh jKyU2qnIdHpjpMrYd9MrER6GMwcCT1gYwjiePWoBkdzYXMp1f3SvfmBIJV8bKSne9WCJHrm/ b/ziP7H0+b/tRQ1N4B2gQ5yoMk+8sbPzYUmajn8rWRaKOK1mZsbiEyjCqjN0B8qIzLqfdqpu kK03C1h+HK1IPuBntd4WSdikVxy1RfdS6G/cDl2RLpZN7Jt2NS4wysAUzqRe5SRttbhc4LFO PbepC/rCvNwHrlcF23CzcooU26m2PjFvrk2nJNhMAxmuQ3qELrWTukJ9SFIssDZ5AmIxyWmM W4MHgDnyQNbeCC0MA9bawzvgaInkHUQf5mKiulrDleNOI9rvNod5KRuVwNIoJ8+UO53y/2xE wzGsTX24o98O2iFO0ek/C7D/7WmXyJVRb9zaDdJAfUlSEYE3gQZleg7bMtUot9+pkFs/fMAb yCtoY6UolgagsE0o3+gmo0kAEQEAAYkCPAQYAQoAJhYhBPoVvvjh0PdDKLEONFsFoYMJuZLq BQJdmHe9AhsMBQkDwmcAAAoJEFsFoYMJuZLqt6EP/RxWqt2jcEXt4OaPfIQzm/0u4g2pbSrS tiQODf9szChZ29XwRwbitCl9oCLWsRnjGU2U/CtvVpq91FWagTwUhWnGlMYQmXh9QY0H1ZLu XErkhUo47ZYnmupHVkynK3061pxbjm2NdpLeGaYlfllUs4OewZengsVFewCj2/otLcpuMu09 v8/l+4K5uYci+iQdqWD8jc99nG6pdUEX4j9USoPHd1pQVqvOZiMHmjNhsxE28cepkOKawTPL DeyY3eW18visS9to4gZlA/9SJTnnBuOkFF0dfs27Y/kDjVxMNDYqeKtbCyPTwcjfYFDmNqJv H21RCvyr9GLvYTc25D48XwKAXXy5oAGcyR+MVeD4edl0obZ9XklTtp4O0Is4rUcd1SxgOFuV FOVfdki4GzTajvA13GG2oThsbN4LmNXaXJlqlrRR2n++KoSoHtY2Q83Zbt2tj80T0sM/wOmw H595JDwOKe0iOvvO8OdYiNcC0ZXFB0ojrT8ZEx31BTPmAfPahhpEJXhcgBAtGB/AoD1JPdks 1BwY+kP+SZefFxpUIOfDqQcdr5oJkkqY3MkbMLSQqDMMknG/MCXfSeKYAn+6rjYqdNkq8FoG WQPcHnKacRzE6oTRq0lwTcUlsZg3tTEUaqT1bh31vVvhTrUfPpmEKvzWiAVxLtuVlfCrqYsM 8seNuQINBF2YfREBEADTcIrquJx24+9GO2BlyYBX+R9ipvYiBpo6xRFuofOOymudrUsLgZIk QDDpog2x6KvHKWKYCApI04X4j94+kL7Qi2bgtqQ05hntpQ/pnqhI7KnJIcKB2wvAd+X1zBzD EQvZExvsdc1e+rJlwU9JBKbhJZjFyq1L7kvbtkhFhCEQ6e1pCZXRmeUDb6hZ26v+g/hDkvyF LPEs+T8oW4m+nYANgZltRWrZBv17Sxt3Og8r1NrGT58ljqiUzOIjGsDL3pz7wXb9MRLMUZ7Z qpYtcAjlxMg2xatelJ/eZzNVm//H8d/guKx5lUtilH8duOWMXSjOVYbwgerlwpPHRRYZFz3S 8taIjUhKEoqxpUY6dXZ9o1VEOI+7RFsgHqprT9xg5C4htWv+DsypDybwe7RJF7hMD+cpcJ7X 793LCYK/KaafAptoAnRgjY91KQzsyqoWZTkkj4YqkTzTry68rqAjjoiZ1HOlK9E6JPsWSk5I xeFyZ/V0JWWjg8lrbwdGT4+WK4rY8QwDqmLSCsnIxEIKoghVAqtWu2x/RnH/Paa4fsxcoFkH EBMVzifyAQM5yv4lV+t/d+2eNmuuSeMPmOipqNUMWo0FwUp7qUiZDHctHG72ednqmXNy9vRZ rQiJo00Um6zLPKEL27n/Ux3VlWeuHBRS1C02+Sd7hrdHkdPP4L99pQARAQABiQRyBBgBCgAm FiEE+hW++OHQ90MosQ40WwWhgwm5kuoFAl2YfRECGwIFCQPCZwACQAkQWwWhgwm5kurBdCAE GQEKAB0WIQSGTV/wARsOueA3qOutdGTJkR9GFAUCXZh9EQAKCRCtdGTJkR9GFOULD/9oyGpM 6gML6+i5NWFtNAU1w/brDiIVZpMlfAhDjnYihAY2VN81FmovLt/gsLR6wsMndhtM+6u5qqyl V/iSRV0PdZI5YJXSArJnOyYqxa9ccwfYfqhyNmHoMP+I9PGJrAbCd6suZ5jllu9UnDoiJWxQ dLMdyZ4Sb3jG3UV3rFzpWOJm1npwfA9boaJewSlV+lmXkv8I1Kn3mmCKYtSpy1CTAfjG68Rk MLhlnWX0swhgADb4NRSUTR69Ntp9QrB3vGW1psELF54/uZspNqM0OlbyPkyflVGDREmnc9T4 BnJN1dxL6FYV2FunbyIyTNgct0zijM7PXqasB9VK+2frqUfjZWekuiMctNmZF7Q0AdrqayWF VCG+fUYCFKTE9lx9EQgoAj+RxGftcbP7v/XuicbrBY4GvVb2t8cfY3N2aWwb1agVojVJ0y55 SiHf2uu2ocixIER8Y1fAiUHXhoJ6um2lakJ6xNyRGkvzj/BHvdL3ltRs99eukkteRZpEdA6a dbHYpwNgLF4rapHjw9NaS+b01umGNFg/q2oGcD8n7VpvjpUBRsuLKG5mrpHDIgojC81/ievP GrGSdL9hX27bSudUJayiTgPp3Ki2ogDqk1vJBFf3Oemj/xGDEt3pvXycutcsN3HjPAYGQFL9 VhTJuhO7bDm0p0r9F6iI02aP3gBPXa77D/4lCZ42ot3GNwm2SWFqHlHwzH1Yw+Vko99QyRRV TmjpC4Ss9ZeCt6JUbpcAB1Hp7qwukRr10Oq/C7qCgwHFIym7Ca1FT8olsxBByD3TMfXnT1Df GueQBiAGnfvAWc17BNR9q9rc+iEOAELGvu7N5KotPPvXBc7x1VN+GS3nper4I4cEQU3bIVyj v5wseMXqM+m0YZgBDmFzN235uMgm4SrRdED/btAnXctZMWkTGDCmYbvwEhyxxEjWhTxSYi7x zpcJHqvbWKcNzAxyfthYrQzx80+CRN9b449olAuu/5ju9JiF7PLFo6jxb+xmbnjlvT9uWXV9 UHKHFA+yuQl1P5KNlP4lhcEiKNCXV+YrU1KYWAPMVnshv3TXqzDgTS9tSYglgtFJki0RxVrg Bu1uxTzdvRbAnGVASYJgjVPI/NWSiZzQoULTSgU/OeTA1AXICaAEJGc1Yl6/2LTkgwWx1ZUR IqRZ13hU12y47fUVPo1wqkmZYslZF7IgHc/aIdntm40z+vdKlh9C2l8ed6l4MklSwTlPLztN oghMs3Ey1Twhw+kr5XYqoewHzgP0Vy7XVWoWwn6P7NIhwps2d70inx/U+aZV3U858BN8J19w LESBIx4M4JvjvxdRzHq0KdyZXrf5CejMdRdhdIvIZe3CSimLDK5y5RLt+i/W8HxkUQMD5A==
Message-ID: <b506a8dd-fbf4-0c32-9ff5-30334436ee3a@amplitut.de>
Date: Fri, 11 Sep 2020 15:41:08 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.28
In-Reply-To: <uTb0VcadGuNvEnDsg15ER29Kge26GImPfZ-JqS6iFkGXEn4DOFmq8V-hAb32lZNpv6r5rtfrZn6pihdDQkyts_I6BK4tni8CNMYC2RgSorU=@emersion.fr>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Vtd3RosMxrEen88_5GaRxUfw0x8>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 13:41:05 -0000
Simon Ser skrev den 2020-09-11 kl. 15:25: > Hi, > > On Friday, September 11, 2020 3:17 PM, Felipe Gasper <felipe@felipegasper.com> wrote: > >>> On Sep 11, 2020, at 9:08 AM, Simon Ser contact@emersion.fr wrote: >>> For instance, it would be possible to require users to add a short public key >>> in a DNS TXT record, then ask the ACME client to sign challenges with that key. >>> Something like this would significantly ease the development of ACME clients. >> >> This would seem to introduce a new vector--key compromise--for being >> able to impersonate the domain, wouldn’t it? >> >> Such an authz method would be proving not access to the domain >> itself, but access to the key, and would be vulnerable to local >> misconfigurations. It seems thus not dissimilar to the erstwhile >> problem with tls-sni-01/02. > > Right now ACME clients need vendor-specific authorizations, like API > tokens. If the DNS registry operator's token is leaked, much worse > things can happen than just being able to issue wildcard certificates > (since the token provides write access to DNS records). The missing piece of this puzzle is a standardized API for registrars (or DNS operators), where changes can be made for a zone at a registrar. Much like registry changes coming from registrars to a registry using EPP. Many attempts has been made for this, but for some reason, registrars like their lock-in models. Perhaps some day there will be an attempt at both creating a really good open source zone editor that will be adopted by registrars and other DNS opreators, that also implements an API that is generally accepted. Then perhaps this API could become a standard for interacting at least with DNS operators for changing the content of a zone. (No, and I don't think RFC 2136 is good enough for this.) For now, this is for many ACME clients a manual step. If you run your authoritative DNS service locally in your network, perhaps you could look into any options for automatically update the zone content.
- [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Felipe Gasper
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Patrik Wallström
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ilari Liusvaara
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Kas
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Jesper Kristensen
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Jacob Hoffman-Andrews