IETF Logo Mail Archive

[Acme] Indicating scope in DNS validation label

Erik Nygren <erik+ietf@nygren.org> Tue, 03 October 2023 13:31 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74018C17EE12; Tue, 3 Oct 2023 06:31:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.409
X-Spam-Level:
X-Spam-Status: No, score=-6.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hog_7zktS_nd; Tue, 3 Oct 2023 06:31:23 -0700 (PDT)
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA248C1526E9; Tue, 3 Oct 2023 06:31:23 -0700 (PDT)
Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4065dea9a33so8852315e9.3; Tue, 03 Oct 2023 06:31:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696339882; x=1696944682; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=9V/EKfk33V06CSoOLEu7xce1dDrJKh0/mUMg727uTUk=; b=S7Ki0o5WCmGKb698S9aLgMrq/j14zowbtG1PqToyqJ8ALBmSrU3VKkn9IOo7ELoLry y3bc5ztV1k+B2TvYGBsmwKVkljgJpSmEuHaMawU4FbKS/PnWLg7BBs55czNBAEdfpfv1 1tzQUzxrBqKeOyGxLMEG6z486uAxR2q3dy03kKwerzclYoFiF7qyb5sGTfrkldSmvXXn EvcTB6QG3vppuLT+/qe1G91JstQB8ItULNyq00yZ9Zsj2iuAJfp0q+rNsZq9mitI/J7T gh+Z7gPicSgKancjX1WktbkFlC90TSc6DWctnFS2b86aIis66aLriHKlEIjDqFKU74TO dQ7w==
X-Gm-Message-State: AOJu0Yy/jrY2Ben3ar5pNDqOZqmgfpn9fF6HIPPHQskwAo7Qp7oCHOiB jAU9WC9b+gBR68iuZyRPrAIxs+MARy0+3cv8kI2UhAltit4=
X-Google-Smtp-Source: AGHT+IEn8asWHwW7CZ8OMFygszjEhwLNQ2GlkKrUVafQwstl2Ak83rBLLu8CzvNt3uDCY4unIqvf6WoK+UuVrFs0I+8=
X-Received: by 2002:a7b:c448:0:b0:405:1c14:9227 with SMTP id l8-20020a7bc448000000b004051c149227mr13517505wmi.33.1696339881374; Tue, 03 Oct 2023 06:31:21 -0700 (PDT)
MIME-Version: 1.0
From: Erik Nygren <erik+ietf@nygren.org>
Date: Tue, 03 Oct 2023 09:31:09 -0400
Message-ID: <CAKC-DJib1cE5d=NcJVbv1bO+fXs=5KTrodrHoWkJ3h-ZD1wmpQ@mail.gmail.com>
To: draft-ietf-dnsop-domain-verification-techniques@ietf.org, acme@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000c3aa80606cfe8e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/X3l37oE9PFHdDqnKVcBJWfGYfuU>
Subject: [Acme] Indicating scope in DNS validation label
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2023 13:31:24 -0000

Within draft-ietf-dnsop-domain-verification-techniques
<https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques>
there is considerable discussion about the risks associated with DNS DCV
records (such as ACME DNS-01) not being clear in the record about whether
the scope applies to just a single hostname (example.com) or to a wildcard
(*.example.com).  While DNS-01 has this within the token, the DNS TXT
record itself only includes a hash of the token making this hard for a DNS
admin to validate.

We have a proposed change to use distinct labels for different scopes.  For
example:

* "`_acme-host-challenge.example.com`" applies only to the specific host
name of "example.com" and not to anything underneath it.
* "`_acme-wildcard-challenge.example.com`" applies to all host names at the
level immediately underneath "example.com". For example, it would apply to "
foo.example.com" but not "example.com" nor "quux.bar.example.com".  In the
ACME context this would be for *.example.com.

Pull request for this is here:

<goog_1991325217>
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/90/files

What is the sense of the ACME WG on if this would make sense?  Roll-out
would presumably take quite some time so both would need to keep working.

I'd suggest that it may make sense to incorporate as part of
draft-ietf-acme-dns-account-challenge since the roll-out for both would
likely follow a similar pattern.  In that case I'd proposed that we'd
replace the "-account" in that draft with a specification to use either
"-host" or "-wildcard" depending on scope.  (That might also mean expanding
the title of that draft.)

There's also a scope of the domain and its subdomains, covering example.com,
*.example.com, *.*.example.com, *.{...}.example.com, etc, but this isn't
something specified by ACME due to the semantics of wilcards X509 certs.

    Erik

v2.23.0 | Report a Bug | By Email