Re: [Acme] dns-01 challenge limitations

Jesper Kristensen <jespermlst@gmail.com> Sun, 13 September 2020 12:32 UTC

Return-Path: <jespermlst@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CDB53A0123 for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 05:32:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cq92CXOLNDAQ for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 05:32:44 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75EAA3A0114 for <acme@ietf.org>; Sun, 13 Sep 2020 05:32:44 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id 60so12427833otw.3 for <acme@ietf.org>; Sun, 13 Sep 2020 05:32:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=7dfBNX+W7ivH3fBQwP4mtEKPFq0E68KLeSEwxmV4gt4=; b=iNc2ostIjQf0Uj+nSgH2aYUIiS/JjkkFtJM33Tt/ivO39Epgzvl2JQ8pcVh9Cro1eA kxPmk7ZpnM7GQFPl7r2MeeBmluuygnK/D/YmAmlp9y9BjVs5sEKfZb3xZz4iskV0xPXT 6RqB7puhtAxZ4xcs6He3dSU9kJ5rrRXssmfdSWL/lVfpFIFDrIJFkY4Jl4WTzkNHJ8C5 kb64VGCYUguJ6AjI6aMVlkjk26WhmBc+ZArDau8bKX4OpY/GKg/9djYQyu9rpeq9zABJ kudaNrsCoNk1/1QW2aqXOifEfZWayPHy93bYIUN5yhMvjKsyznNOePLSv2cYebLpcuAH 211A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=7dfBNX+W7ivH3fBQwP4mtEKPFq0E68KLeSEwxmV4gt4=; b=frJXO31He09d1rv3I25i6FRkt3kxg8D05p9yjzjDJTfQUEvWGvaxRjWNFtGFRa6FLS kmjYUm74xBwkmHzXcvmLicznb0A3ma/+qLdpWvbScjA29TPhB53W2/coZ8HO8DHXzLh6 /rVZ6xoQ8Z86Bhwe1mxnA7AL+zh4Zg7dZvTrB5fWrekzCGubIuOXJF38Jvl2QtD+Oh34 mIGL+nnIB3HJEt3J3lD0OQOFBFurLmwO55So+tuZfSeunyiXRN6tZERCen5Uok4EQ4Gd 3Yfmw4sI8JKWZu0j6cNvrl08I6ij+2bEX4tNaklcuodL8BIMy/A1Rzrf3J8Bfee2/b5q GuGw==
X-Gm-Message-State: AOAM532XyUcFfyUck2TY96yC+4Mk+xDOKx92ohFaa72OrveUX6GKh55L w9JLcFBoBlyu1BhJ95IY3rjRXjWC+wNSXYTYPe7dyqNGlA==
X-Google-Smtp-Source: ABdhPJxnV4rb+kNmZC8uS/P+wvv9fowE75wU9gN3A75pe+K7IUxWYGUN0DuihCirxv/Td7ugPPJr4ZxJ6VjLMME06Mg=
X-Received: by 2002:a9d:416:: with SMTP id 22mr6058502otc.245.1600000363569; Sun, 13 Sep 2020 05:32:43 -0700 (PDT)
MIME-Version: 1.0
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <28079.1599844001@localhost> <lp_PV1Faiz60HayUqYhD_DtpPHgiEVhFMSeBPicOw9XsiDkG_6S6CmbqqD1CNqy5nN44FlX7BPZ0N4cQRksC2ZG7UmKhzE-HCnPJelNvhaE=@emersion.fr> <CACHSkNpDu7HBEoPLnuRQtdMeLmBYmpLb+nAFawiLH1TpMgG6aQ@mail.gmail.com>
In-Reply-To: <CACHSkNpDu7HBEoPLnuRQtdMeLmBYmpLb+nAFawiLH1TpMgG6aQ@mail.gmail.com>
From: Jesper Kristensen <jespermlst@gmail.com>
Date: Sun, 13 Sep 2020 14:32:32 +0200
Message-ID: <CACAF_Wh2baY4km=bxq7y1wDFtTjMc2hAtjUET6X5mgZQP4kPvg@mail.gmail.com>
To: "acme\\@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004fa4b405af311da8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/dGj9UqMTSv7G6BLMFvJM_vlf1S0>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 12:32:47 -0000

Den søn. 13. sep. 2020 kl. 14.10 skrev Philipp Junghannß <
teamhydro55555@gmail.com>:

> Simon Ser said:
>
> >     > Are there specific reasons why dns-01 requires updating a DNS
>> record?
>> >
>> > Yes, because it proves you control the zone.
>> Right, but there could be other ways to prove this as well.
>
>
> care to share? what other methods are there to prove that you have access
> to the DNS zone RIGHT NOW.
>

dns-01 does not prove that today, because it allows delegation via cname.


>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>