IETF Logo Mail Archive

[Acme] Re: Interactions between HTTPS RRs (rfc9460) and HTTP-01 DV

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 15 April 2025 23:08 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 96D991C9E490 for <acme@mail2.ietf.org>; Tue, 15 Apr 2025 16:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wPyDOEf0wBKl for <acme@mail2.ietf.org>; Tue, 15 Apr 2025 16:08:40 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2114.outbound.protection.outlook.com [40.107.22.114]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 42FFC1C9E448 for <acme@ietf.org>; Tue, 15 Apr 2025 16:08:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nuiZr4E8jFMQyY3jkWMBVxwu39z4c8CgOeNw4Fh9U3O1f1HCj6S1wcR0YQSBioDidtmpoEkB+ufLDmOkRe24NQ5mh+0U7lUCYGY92d0ipHYDyPq27A9mkfWHIFACrSA0mwDoxDzpvRy5oP2cPoJjlmAskz4MzNxy7fZTen5ZQIsvGevznl1KtWA3QTC5p+VPx20RY76MNipbsoT/3Ge4wCcwO1UO4lcevazxQ5oZiTDSN7gLyolC5je0Jc0/3+R29AtkHXR/4fYQAVF8mMmAGM9ToypbgSDBMD1FC5lTx3uiYagbE0drWX/gqfn2ttClhqMw1WJLM+43EFQLHdzjjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8DjqsZP5CvttDGdEOBFY94soKRYEViAqMkPAOXOF5Zk=; b=NSgJzActTwkgna+QhOidZ2jKWsQ7tD55qRn7ju7RuLpZwxzKWEmXWgnK3yAsOty3fc1l81magqF7h5vob4g/lhJpUW4n2TBrzjpwowGyWciiEcyE8zTZC3iSsDPdWQAa5HHrte88G1FduwWXk7yPDMKnA3zvqQ03qicgPF2VIWv9m9jL8gXt6u8lF3CEtLjOjWvoypMvuHoM63ZuGrjgrz8SiWm8NGQuM8v3pqupbw22QTYIsa5igkm6sO+6Kqqk3Hn7t6nfe0dpTL9U1T/HW18delz6z2tXd35jQYKSFUjdOHGCV9ThnSoR52V9iFpxg7+6Q0qApVvuflgRzw2//g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8DjqsZP5CvttDGdEOBFY94soKRYEViAqMkPAOXOF5Zk=; b=l03kZHB3y4+NAlbITEOHKiA5F7yHPI1hhDElpNaJhsh6bszPRfw13/ey9g+MP6OMEfo/6QH8T+QpxKh42FFI+yBQaDQ8Ht3kg0WJ+Riv4SZOv7Jd3W1F+vrGMDLcHQJT9avBze7T4NfIFBQE3MtF8j6TRkytVQwKKfI96bqjqTYM4KNH3Z8TvaGmy5o7qQDgmJHmExQpzRuzRcpazDQTbEhCpHi/DVDjTCf0UjVcMef5I2FnFWNbO911vyolK673kpISrhvijes1DWoWrir1Vqr7vwVRE6TN5H3aXxfYc3cR15TdBXv0QG7osFL8+HKzf7Pp6ce0x1XLODiA/YNAKg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16) by GV1PR02MB10909.eurprd02.prod.outlook.com (2603:10a6:150:16c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8632.32; Tue, 15 Apr 2025 23:08:37 +0000
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a]) by DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a%6]) with mapi id 15.20.8655.022; Tue, 15 Apr 2025 23:08:37 +0000
Message-ID: <1dfc3e86-2f99-4f47-9f5e-e18dd58eb746@cs.tcd.ie>
Date: Wed, 16 Apr 2025 00:08:35 +0100
User-Agent: Mozilla Thunderbird
To: Erik Nygren <erik+ietf@nygren.org>, Michael Richardson <mcr+ietf@sandelman.ca>
References: <CAKC-DJiDx7onEahH7KcYHykzf7iqGbOgjKD45BNHcE+AmHgoWg@mail.gmail.com> <22779.1744755025@obiwan.sandelman.ca> <CAKC-DJhaAiepBjTyANko7v5cq0WxtUYVBnOAoFnQnwx-_sZYCw@mail.gmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CAKC-DJhaAiepBjTyANko7v5cq0WxtUYVBnOAoFnQnwx-_sZYCw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------xKn0SJTZS6ILeF2l5a0WyQFi"
X-ClientProxiedBy: DB9PR06CA0019.eurprd06.prod.outlook.com (2603:10a6:10:1db::24) To DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB8PR02MB5946:EE_|GV1PR02MB10909:EE_
X-MS-Office365-Filtering-Correlation-Id: fe44a2a4-ae2b-4b22-dcce-08dd7c7273ac
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|10070799003|1800799024|4022899009|7053199007;
X-Microsoft-Antispam-Message-Info: tjkiOaA/19UFn8s66v80oKlLTvALtslcHaGmKJ6Kagb6Es3vOThgIyBPBfkjC1JR2vSVhwWjrQGp2eFDogDfemSgjxMihx7U6vnIo7ipqfJXztySz1QVoYL02n8raJ+t/se2OKaNynrMqPFJsqOy5Mq7ufp9GCF1VMF/XRPxblqWjTwLrdhDZIWAZ7lRQ2gaE9BccwDBDLGboglSL0ZOI7KsZwizH4D4i8KpfgJlSDXh6CFG5UANFkLLAdF9ZEF0EM6wdwU+6HiJzQ+FXaTgubvQ5VdlDersK7t5zgVbuwNNSg6luXnoEwscWp7enuQgWyUmVSHwRaUDNqui9fO6WFBRMw+pIR8wIRQMjd5kWFyTTjg3Qt4w/+Awta6KFBZvmIKSgAiEHFFtu4WhNTzYRJ3QJYId02j+g4qq3Ki7Z11col98vYkMuy+ujezcNmTyhIz4YF2+qHp7dYaZ4glx22pmhWr4yyNm5y2d623pyUrm48eRUu2ATXTVOVs3G8l86X1UuZF46SM6+wmCFIFIamG7VO93b+vzENaqokqwpjpm2DxPdKGQlLzQa1mSTQubSbQSLoUwtJJWheht7mvoee/6f5fcv/nDmvkuL+7YigC/kF0i2qijHpYjQ1EFUnudFCKVX98TuVDrtuyN7U0GGLG8QYAuDPoSvJRbApV+5DyoTAQHnDklYqgx7bdeAMCHnM2kXA3w+jEn6FfNq2J5V4kmEgX4f2CXn+agpKmSASs5mVjnAw9GM0RjV0g39sXzosW27RW8Jvv2HrHL7H2mNChRyR5d+7El5BK8SFPavg4Cb9py7w16xe6b7sAbx0a5p0G0rNw03Ep/VM0qbLNMZr+MCsPIN4jxrNUmgRfq7omplsYK0oxdGS8kAjsf5xHkDlo18E1R3MaNfCQYAYlv4ZxwU8ugHsQsnuxqFFhzbZocfMP0PQLKkyD5tbU4aYTGG2blJ9mSB+kHk8Y71+nMd5rgplDxF7GVkHarSgyl0iO/27hnDsj3Mn1wYRt+PZGuLA1XFwO8CTYg3qc8Kzw8T/kJAMtHeWXntKdwGOJOVHCxkTkGo5iEqtDN5xDp+1LK1JtaEL/DoDUj/phtW2A+TVPBUdGvw7EuLycn1056D0abOCtbqYHDOBS45wHIa2tPhhRwSAezn5bpMqNnZzpNNuwc/Mn95NMor+F9lSUCIfg9S3OX8/L0TDr0N6JYzaajzkVcAbdvtpdJF5Gid1TM7d0dmzMPuel9+UxfjdfHE7MWVHi11p9TrQdfpfMQ/yUnxQb5WfnZNz5q69wpmidO/y0WCJ1xyYK/Y2V4BywL+Q2oq1LRhwn+gRUPAMnku5HGRiI9itaWLLX+Tt91VLrT5X0CtJc87dMGzAarh/1SSeV+bXImXw5knl77mNuMpoNlQO02R2tyBihw2sjPQJM0ylrqmZnGk5HYGQc0bVvk9Sw=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR02MB5946.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(10070799003)(1800799024)(4022899009)(7053199007);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: V4l4SkNJzgJOZ2eE6Jg++4MriDFnDowjvfPhXfMaa6DUb5J5Ye0xac0jWgzOOYvxVbx2Pw5SMX6hBBBU5PDzV8gKQedcImSMZOlUYLq6F0Drbfg2FXWkQ67qcV9CwuzNzKKteKJdY4iq28HDnHFfF9HHYgjQA3a2esANOchjZ4ObKRpOFmMk+W8PQGwrdJbYSIslyfnp3WLt/06eos2w/B2Q1MJzsO1rWUnGfPkx2bMAE2D33vxS+affiIEtgofAF65JVVry5TTygLM9+BoPUnXieUeYWmVwQpTb1FvLSF7IL5x5ssfc79FZpHh4OIN9a/BUy+S7ngnWhBMXiTtStAN5uE20a6kh+Bw/TRXwwpfeP6NNFZOfq1QDd8TftQu1WBfFL02hImnkjWJa7Wy2dOhz9LC1397hMMj3l4HTsKKVHko45DS/AvBYWYUY/Y8Yy+U+nLF70kP1V/PrSQ7T9JxcsasYiucM8TN8nTZaEER5HsnmQ5pBi3qMj7GxV5kDDy4lEz2PGZDln2fo0skzPKv6BlPkAzYZBI2L4yIa6WdYfdu/lR3TI/ig7OyqlomtB51uC7rBMieFt5RJWJraXfya6g/3kqiaSI5AandoVeRI36PXXHmfBRLZlBOh3GTW3ke2uh9jnnPQi+lPB5eYXuxgxQiZMJes1fpzFBSOWVdudmNpK9liKRf7MXBKegdCs9YjX8kgHGM4U5R1unODdf0Qr84QNNo5iisHERMj96E2mT4T4rVzepkXtz9m7n/92dfNwkP7vBrecxvXpk2K5et8TVtxCJrif+/c/nQ/KkVu8T8tuwFSvf4MTgdR6afMMG3mhTTg4CkvlZUnkbjGK7vw27Ivje1NeIRUlIeqM16pw+jiuPzPo8PHXKgPWOv4g2dzqnVNz50IJOPhsxwrqqnULZ7YwV+nhCRkQCv9L/9W3R1Sxj/C5BYY2VzFq7uNCEicjC5FZa/vzJCyFL+89Ugax3b+AaEEwpTU9yIAZK4nnSk/IY1La2tQcZjfs4daFtUdUae1aAc+buDcmdA5HxwhjY3+lFxwffKDZOmWKn8LX/YkarWaAGPoXTOAPtZer8Yf9VWfZdyFB1VFAI7NnnI1qIj4/zeDgKI7TRzobaoSB9xnRcr2tSkeOUZr0sOwFD0l8HeWXLQgJu2UfAP/0nVV2HYLRG1c0X9n8W/qB91PQarGYIWZAY0mM8RN++s009QXi3RzfK3RgNrbEdlPN9+QIISQvcf4DfsvSg1FI72b2EeBo0CrYN5U2BT0UD4mzXlw4LfpuQWUB7yytgqyv/l9gOoDjtfANjB8QmQwikyZ9b5FaXaDEigzqGBE+nS4YODFv7F/K9/MQmbHfLMbmR5SIDxKXa9whdYYKmlZUnuC8fZofGrl7yL+3zq7KqWNI6zthbItmjCnkG8DRMfJYMEPoHRZAbZdzCjges/NTzVebpIv67XvzFrM9g+T6Lo7ts9QobPSH/cDN2Ph7t4IZJ4AK4Y0AHZwfH4EkhBuCRnRwEdld7NwW216r1TIjhBvnjBXIf9AuSGdMQFuQ2TxqQ8cEdAY5CFZ0zkzekYQNZKGUQ3P/dFXXsjIJbmoTpnF/9biK+7gDM/cfeS1Tw+os3e71fklEoUlzMr0pABvVyxxJ0gSlNxYDgxgBTomsnyU
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: fe44a2a4-ae2b-4b22-dcce-08dd7c7273ac
X-MS-Exchange-CrossTenant-AuthSource: DB8PR02MB5946.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2025 23:08:37.0404 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: qKzaC9bFOBgfL/OkGqCJn0zXf7TBZYKEAbmexuiqtEqS+NQdSWuLQPgS0SfPX7YY
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR02MB10909
Message-ID-Hash: PGMMQMEWN2WUCO6OPX4KULY4DWTTKPJE
X-Message-ID-Hash: PGMMQMEWN2WUCO6OPX4KULY4DWTTKPJE
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF ACME <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Interactions between HTTPS RRs (rfc9460) and HTTP-01 DV
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/a9ctV0CDoVBk7D344UDJFSkPvJQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

Hiya,

On 15/04/2025 23:50, Erik Nygren wrote:
> Thanks.  I went ahead and filed an errata for this.

That adds: "(The HTTP client must not resolve and/or must ignore
any HTTPS DNS RRs [RFC 9460].)"

Is that correct? What about aliasMode or different ports? Are we
insisting that ACME servers ignore all HTTPS RR content or just
some? (Note: I don't claim to know the right answer just now.)

Cheers,
S.





> 
>      Erik
> 
> 
> On Tue, Apr 15, 2025 at 6:10 PM Michael Richardson <mcr+ietf@sandelman.ca>
> wrote:
> 
>>
>> Erik Nygren <erik+ietf@nygren.org> wrote:
>>      > One of my colleagues recently pointed out a potential interaction
>> between
>>      > HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV.  If a
>> hostname
>>      > get an HTTPS RR into DNS prior to getting a cert validated, then
>> there
>>      > would be a problem if the ACME client resolved the HTTPS RR and
>>      > auto-upgraded the http:// URI to https as part of HTTP-01 DV.
>> Since a cert
>>      > won't exist yet this would fail.
>>
>> That seems like a bad thing for an ACME server to do.
>> It's an http-01 challenge, not an https-01 challenge.
>> It shouldn't be updating.  ACME servers doing dns-01 challenges already
>> take
>> special care to avoid caching, so they should also pay attention to ignore
>> HTTPS RRs
>>
>>      > How would we want to clarify this?  It's probably too big for an
>> errata for
>>      > RFC 8555 but annoying to have to have a draft just to clarify all on
>> its
>>      > own.  If there are plans to do an rfc8555bis (or anything else
>> Updating
>>      > rfc8555 for HTTP-01) this could be good to include in there.
>>
>>      > The reading of RFC 8555 section 8.3 is fairly clear that:
>>
>>      > Dereference the URL using an HTTP GET request. This request MUST be
>> sent to
>>      > TCP port 80 on the HTTP server
>>
>> I don't think it's too big for an errata.
>> "When doing http-01 challenges, ignore HTTPS RRs"
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>             Sandelman Software Works Inc, Ottawa and Worldwide
>>
>>
>>
>>
>>
> 
> 
> _______________________________________________
> Acme mailing list -- acme@ietf.org
> To unsubscribe send an email to acme-leave@ietf.org

v2.30.2 | Report a Bug | By Email | System Status