Re: [Acme] DNS challenge spec doesn't support CNAME model
Andrew Ayer <agwa@andrewayer.name> Thu, 17 December 2015 16:19 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82F891B2F18 for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 08:19:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWG7T-yc5dW2 for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 08:19:49 -0800 (PST)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48E751B2EE7 for <acme@ietf.org>; Thu, 17 Dec 2015 08:19:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=alcazar2; t=1450369188; bh=bEcljGToUcgLzi7442EUlkN3xAbptfoYVF8o0czbf98=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=rNM1SErE+QBZegrjUQcNL5mhwrlekT9PYwY1br95AbCFgD0OLN2f9cjcsixqmcdhS rHO4cwjMcAXOtDZrAWPy0SUkyqOfBduEoN0uWArfBVhp6EW4ImR37bC2v5Y58koDB0 76nwQ4kHb2idQpIrifLy7thiz6C0CSFNggVkXxu4W40PmEAJSAEx+qO4T3bRwcVAIb tSx8MqIrAXy+B/Ue/V2npJXGcFz9JFNnEVYH8bYyqnQqeZ5BtzyC6XuT7HeuF3oCgl /E8AgbCzpxXHD6sFrr5ryB9Ol22LHdIfvDmQZBvUaYyzgGXph/DUtZkFwklOJIysTk +qV0V0eSwSTFw==
Date: Thu, 17 Dec 2015 08:19:48 -0800
From: Andrew Ayer <agwa@andrewayer.name>
To: Eric Mill <eric@konklone.com>
Message-Id: <20151217081948.153cafa35132a31a44794cb7@andrewayer.name>
In-Reply-To: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com>
References: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/b43_VUIsnei_2N4ocu3KBvxKelo>
Cc: acme@ietf.org
Subject: Re: [Acme] DNS challenge spec doesn't support CNAME model
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 16:19:50 -0000
On Thu, 17 Dec 2015 02:23:20 -0500 Eric Mill <eric@konklone.com> wrote: > Since DNS specifies that a CNAME can be thought of as an alias[6], > this means that a service like Tumblr is capable of setting a TXT > record for domains.tumblr.com with the validation token for > blog.ericmill.com. A spec-compliant DNS resolver looking for a TXT > record for blog.ericmill.com should follow the CNAME alias first, and > then correctly identify the TXT record for domains.tumblr.com as > applying to blog.ericmill.com. > > However, the current ACME spec asks for the record to be set for a > prefix, not for the requested FQDN. And if I CNAME blog.ericmill.com > over to Tumblr, Tumblr does not have the ability to set any records > for a prefix, such as _acme-challenge.blog.ericmill.com. This means > that services which have users CNAME domains are not able to use DNS > validation to obtain certificates. > > I think that ACME should revisit the DNS specification and avoid > using a prefix for the TXT validation, to enable this use case. I disagree, because of a major restriction that DNS places on CNAMEs: CNAMEs cannot coexist with other record types. If ACME didn't use prefixes, and you CNAME'd blog.ericmill.com over to Tumblr, you would lose the ability to yourself complete a DNS challenge for blog.ericmill.com, since no other record type could coexist with that CNAME. This would pose a major problem for users of third-party services which do support TLS with user-provided certs but don't implement ACME. Meanwhile, there is a simple solution that does enable your use case: Tumblr can ask you to also CNAME _acme-challenge.blog.ericmill.com over to them. It's slightly inconvenient to have to provision two CNAMEs instead of one, but this seems preferable to forcing some users to choose between CNAMEing to a third-party service and being able to use ACME themselves. > Also: I can't think of any changes offhand that would enable Let's > Encrypt to support a use case where users set an A record to point to > a third party service, such as for apex domains in the services > mentioned above. But this is another important use case, especially > for service providers which don't distinguish between apex and > non-apex domains in their business offerings.[7] It'd be great to > hear ideas for how that might be achieved. Again, just CNAME _acme-challenge over to the third-party service :-) Regards, Andrew
- [Acme] DNS challenge spec doesn't support CNAME m… Eric Mill
- Re: [Acme] DNS challenge spec doesn't support CNA… Thomas Lußnig
- Re: [Acme] DNS challenge spec doesn't support CNA… Andrew Ayer
- Re: [Acme] DNS challenge spec doesn't support CNA… Ted Hardie
- Re: [Acme] DNS challenge spec doesn't support CNA… Phillip Hallam-Baker
- Re: [Acme] DNS challenge spec doesn't support CNA… Eric Mill
- Re: [Acme] DNS challenge spec doesn't support CNA… Martin Thomson
- Re: [Acme] DNS challenge spec doesn't support CNA… Andrew Ayer
- Re: [Acme] DNS challenge spec doesn't support CNA… Jacob Hoffman-Andrews
- Re: [Acme] DNS challenge spec doesn't support CNA… Ted Hardie
- Re: [Acme] DNS challenge spec doesn't support CNA… Eric Mill