Re: [Acme] dns challenges and dynamic dns services (security considerations for domain holders)

Frederik Braun <fbraun@mozilla.com> Fri, 29 January 2016 15:26 UTC

Return-Path: <fbraun@mozilla.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F2A1ACE4D for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 07:26:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WvrsC2a200J for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 07:26:16 -0800 (PST)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24F61ACE4A for <acme@ietf.org>; Fri, 29 Jan 2016 07:26:16 -0800 (PST)
Received: by mail-wm0-x22d.google.com with SMTP id p63so73269848wmp.1 for <acme@ietf.org>; Fri, 29 Jan 2016 07:26:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=JQpP9hlzWEmcGjp+EsHMEl4Adihg8P2OK/f8O12TpMA=; b=F8odANtdKK/oHvxgAYWOzx1V0HriJhF4kQ0XHNYu9Zw3oN0xxsGVkg05VBI8JY6iR9 BguBtlSJ3Y7gIXuH70uBRkY5+EyZCPcTcTGG3TTtTl8hLWNsNPz9iAfb0zYpksCbgcr9 Fm6HrMN+cIS5B293nbJqiLFP9TPp5lHF7g14/oNEbGyCQmUaBuqOp5hbg0K2wbBW6QzN M5FuU2430egieTk5MLWHTOtIeyUjEaT+saj+EOsY4itOviDvKb78PIb2TdRea8mLhxy7 n7gXvuVck6rfIumCAlsukrMz6sQGWEyCiZYcApoprFQ8iqc/jKvmvuPXt1TPIMO+2TWE x98g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=JQpP9hlzWEmcGjp+EsHMEl4Adihg8P2OK/f8O12TpMA=; b=i0RZmJ3rcIAXB/0TkO2Qrk6rpcL3lrkSL03jrmBHoML5IDxSWhfrT9dmnVMIWCSYFg 4sR3hYbc0Td0oUFI1oZwq/OeGvRJppDR1tBkY/ju1FkrdJMCKZ1D8+82UUB/O88tnX8D M9gAOmbHQk/jjkXKx13eAVlhG6732DNqzA6g+kyagyKyhBMbvEditTzTYwHw2BjFFE7B 30xGZhTzhkDzN4I9+qag/1HZYPZr8wu2r2nO11O7Mh16Aev4/NFCJrasubMYb3CZKYQZ BNPquYguxrp4tM8HrFa9hBSien4bfQpvH0ovbKx669UziB+PFI8zC4VSMYFR0SUuu8h9 RopQ==
X-Gm-Message-State: AG10YORoYREg8vaPKXrAIZrE0a9bDPHBoI1agH5E1sa3ekHPWhnqMLdctSRFIxaxjt0e3kjr
X-Received: by 10.28.145.194 with SMTP id t185mr10095964wmd.32.1454081175117; Fri, 29 Jan 2016 07:26:15 -0800 (PST)
Received: from ?IPv6:2a02:8109:a400:4bb:81d9:11e2:f5fc:1a03? ([2a02:8109:a400:4bb:81d9:11e2:f5fc:1a03]) by smtp.gmail.com with ESMTPSA id y188sm7946016wmy.11.2016.01.29.07.26.14 for <acme@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Fri, 29 Jan 2016 07:26:14 -0800 (PST)
To: acme@ietf.org
References: <56AB6D8D.9010803@mozilla.com> <56AB8118.9020500@moparisthebest.com>
From: Frederik Braun <fbraun@mozilla.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56AB8495.9000309@mozilla.com>
Date: Fri, 29 Jan 2016 16:26:13 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56AB8118.9020500@moparisthebest.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/bShHMj36X57y47Rj7LkY_qWcnzY>
Subject: Re: [Acme] dns challenges and dynamic dns services (security considerations for domain holders)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 15:26:21 -0000

On 29.01.2016 16:11, moparisthebest wrote:
> Hello Frederik,
> 
> On 01/29/2016 08:47 AM, Frederik Braun wrote:
>> I'm concerned that an attacker might request
>> _acme-challenge.dyndns.example and get a valid certificate for
>> dyndns.example.
> 
> Does there exist a dynamic DNS service that allows setting TXT records?
>  I've never seen one.  Also this can also be easily mitigated by them
> just disallowing the _acme-challenge subdomain similar to the way they
> probably all disallow www.

https://freedns.afraid.org/ allows TXT records. They now forbid
_acme-challenge subdomains after I reached out.

I'm concerned that everyone having to update their blacklists[1] will
lead to more trouble.




[1] Of course, security based on black lists is not a great idea. But
that's the reality.