[Acme] dns challenges and dynamic dns services (security considerations for domain holders)

Frederik Braun <fbraun@mozilla.com> Fri, 29 January 2016 13:48 UTC

Return-Path: <fbraun@mozilla.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A4041ACD9C for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 05:48:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRkOQZiKcmAn for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 05:48:01 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DA091ACD8F for <acme@ietf.org>; Fri, 29 Jan 2016 05:48:01 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id l66so68109262wml.0 for <acme@ietf.org>; Fri, 29 Jan 2016 05:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=TmMNpjwgi74E/H7NdDDJRD+jKh0+1v1Q9Blv15QeQnc=; b=XadreP/SlwmNu2Ow71orsHYWCrgBvDFuzVK3XvxasUvsvu4CEBVqLXCRe/sCl5HAxY G5wLBTzyuSUurIEArf1ZLZbwNPN+2RYtT9X3eKdBAw+m3bQFhZJRGO/lD0m9QRsaj2Zv xuUDwVkabfWagocNDXYpFCeiu0/lBEl2RgZZD6qOAn5PZkFSdfinPp2lf+/UahLnFlvQ gDC1W3SeIwJMY75vkMhhbXez+D5PgHXJA3ZR69nDkFe9DymfcgdPjj6a/70SePjo3AE+ jHUyf/sOP6VU2zBCHD9IdLps+eqDKMGefaC/MBXMjL0GPVhRGy7hbDHLEla5OXrwWHjr c03Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=TmMNpjwgi74E/H7NdDDJRD+jKh0+1v1Q9Blv15QeQnc=; b=RcqOu3BIkSprdw8MJovm96yz6p7VLYmC7shoUs73z2cdJY78VZ1NTYMD9yTnlu9skE tS5VdBYwFuR3x6DIIsF4yqFE6UJmAEkUZORWBx197za5+FaCqXKNMlUowmoI7woOm+An MFIZaU5yepZDZgHm6aMnPTHprZvuSj2QmkJvXeMlCGo8YA5tRvzV59LQmGNN+LlazFt1 aaeCOlHaeVSmZH/qNzMfvIgyYtgY/4CUlzPGiab5BlQD8MVA1cqn0xappW8/7PgQ52Nd kJYpQckL90BkMJP0XOvhSZUwR7jqRaoV62d1Z4V0mlPzQMf55E1tfqu6+UjAJhpqWRDl h76Q==
X-Gm-Message-State: AG10YOS/4uGOnS7RxDByaUPyjn8kfBdRutAzgJYMMBLaxt9y+ccAUdYB2GdPVoDA2I1YtzMv
X-Received: by 10.28.45.151 with SMTP id t145mr9679007wmt.88.1454075279724; Fri, 29 Jan 2016 05:47:59 -0800 (PST)
Received: from ?IPv6:2a02:8109:a400:4bb:81d9:11e2:f5fc:1a03? ([2a02:8109:a400:4bb:81d9:11e2:f5fc:1a03]) by smtp.gmail.com with ESMTPSA id 73sm7616430wmm.7.2016.01.29.05.47.58 for <acme@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Fri, 29 Jan 2016 05:47:58 -0800 (PST)
To: acme@ietf.org
From: Frederik Braun <fbraun@mozilla.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56AB6D8D.9010803@mozilla.com>
Date: Fri, 29 Jan 2016 14:47:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/b_e1R7wxSe-aos_kAN9lRxftKuo>
Subject: [Acme] dns challenges and dynamic dns services (security considerations for domain holders)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 13:50:41 -0000

Hi,

I filed a pull request proposing some text around the following issue [1]:

It appears to me that it is not unlikely to get a subdomain from someone
else's domain. Nobody would assume that the subdomain could be used to
compromise or endanger the actual domain. This is how dynamic dns
services operate: Everyone can get foo.dyndns.example

I'm concerned that an attacker might request
_acme-challenge.dyndns.example and get a valid certificate for
dyndns.example.

Comparing the dns challenge scheme with other meaningful TXT records
(e.g., SPF), I would suggest that the dns challenge TXT record should
maybe live on the domains TXT record itself?

e.g., dyndns.example IN TXT "_acme-challenge=value"

As far as I understand, this attack is not as bad because a security
conscious domain holder has their domain registered as a public suffix.


Cheers,
Frederik




[1] https://github.com/ietf-wg-acme/acme/pull/76