[Acme] Clarity: DNS validation domain delegated to another zone
Jan Broer <jasiu.79@gmail.com> Tue, 09 February 2016 20:29 UTC
Return-Path: <jasiu.79@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 768F71AD2F2 for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 12:29:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eN1kRBv6lwzT for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 12:29:18 -0800 (PST)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17A201AD2C4 for <acme@ietf.org>; Tue, 9 Feb 2016 12:29:18 -0800 (PST)
Received: by mail-ig0-x229.google.com with SMTP id xg9so176921igb.1 for <acme@ietf.org>; Tue, 09 Feb 2016 12:29:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=SrCox6hyvj9ihiyaBl6dw/JpvCdXAjgqf1oIhoKjdXw=; b=skEQ3PLhzNgALqijfIb2xG/XQg52kUzxGe7AjRBjoqjYTcm4CsQv6JjrZAlwuXOPFH bwE26SMWoqqEhU6n+SLQozXoIAu0xPppruvgi/2JIVdv7Yo1ldLDpgCIw664DFgKYgrC bnulzcGg/YI7GeoMpQXdXPFcTJ8+Ht/FrGgFopSc61/F/y1a70JE2J1TSUnv7iQXznZp KktRBR0wdV/wEoRu8yNnQm+NkK+rSkeCxa3a84D6D8QdEGLG/HeM41zaOo6qXnzC6wym wk9C3u1WxLmT9yN1oVqquhL6Hu2g6wRpSp4PRLqzHEkKObLEtR16pCQmhnuQYxDqcTMQ MPCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=SrCox6hyvj9ihiyaBl6dw/JpvCdXAjgqf1oIhoKjdXw=; b=AJvlNcCTf3jTQJpPLEaUYZHsyM4v7JZ9aX6el5ewTbUcIsUmvJdBCwpbaNUb2c+ZNj sOHoH2nsf9jqSjRESX7OX/VtSi3hFrTc85o4RDGybGFviJeu5IJLnlk1ZNWvHx5dHcCk +1kPtKvsdNzi/HHuUeCdP0WvFzgJtMOwYameYXEA64/SY2vbXOATc5m/yYG5vQg6rGfr aSHmBHoS/OMleaL1qSCxpsrSxT5GLlZZIyP+cX2q1JzefFq0Mb64I/AcQ/mHU3BvWiB3 z9q9VqyUndeXHAzm5tT81chalDzU65vzVYn+cjsf06SYPVdzsINl/9KPnEqacV9Gy4A/ 6xBw==
X-Gm-Message-State: AG10YORDbic03EfMLKrPFJD8SSWMmwSGekxMX9Zi+A8aVXcCv6c9Z4/L99ukCtzJoSeIsKEQdQd7mBmIy22P/Q==
MIME-Version: 1.0
X-Received: by 10.50.79.196 with SMTP id l4mr6523384igx.11.1455049757567; Tue, 09 Feb 2016 12:29:17 -0800 (PST)
Received: by 10.64.76.109 with HTTP; Tue, 9 Feb 2016 12:29:17 -0800 (PST)
Date: Tue, 09 Feb 2016 21:29:17 +0100
Message-ID: <CA+MmhbOv-QF2efXyaXin15OKuhaV3iwza-tzcUyDAwwm8-yB5Q@mail.gmail.com>
From: Jan Broer <jasiu.79@gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary="089e01183f48ee3ee8052b5c2b5c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/_M1WCTbaojKGjhQew-e3NiIJZtA>
Subject: [Acme] Clarity: DNS validation domain delegated to another zone
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 20:30:18 -0000
Hello everyone, we are discussing whether it is technically legal to validate the DNS challenge TXT record when the validation domain is delegated away from the domain to a different zone. Scenario: a certificate request for domain = "foo.bar.com", which would have fqdn = "_acme-challenge.foo.bar.com". Assuming bar.com IN NS ns1.bar.com which has a record _acme-challenge.foo.bar.com IN NS ns.confusion.party and ns.confusion.party has the record _acme-challenge.foo.bar.com IN TXT "keyauth" The spec stipulates that: "the client must demonstrate to the server both (1) that it holds the private key of the account key pair, and (2) that it has authority over the identifier being claimed." One could argue that requirement (2) is not satisfied when the validation domain is delegated away from the domain: Creating a record under the validation domain is not indicative of control/authority of the (parent) certificate domain. On the other hand, the spec does not specifically exclude this scenario. Thoughts?
- [Acme] Clarity: DNS validation domain delegated t… Jan Broer
- Re: [Acme] Clarity: DNS validation domain delegat… Michael Wyraz
- Re: [Acme] Clarity: DNS validation domain delegat… Michael Wyraz
- Re: [Acme] Clarity: DNS validation domain delegat… Ted Hardie