Re: [Acme] DNS challenge spec doesn't support CNAME model

Ted Hardie <ted.ietf@gmail.com> Thu, 17 December 2015 20:58 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7291E1B30A7 for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 12:58:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LICMiU7uXZx for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 12:58:42 -0800 (PST)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089191B307B for <acme@ietf.org>; Thu, 17 Dec 2015 12:58:42 -0800 (PST)
Received: by mail-qg0-x232.google.com with SMTP id c96so18103764qgd.3 for <acme@ietf.org>; Thu, 17 Dec 2015 12:58:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VEyv45/eKhtH6immcoNYDx9tYcnMtnVqyKXu3jWimJ0=; b=yzRzXOSCaNBi+v2lpWaZ2SKxMlfVqnJYoLikH/EaZQJ+c733KBSEk4SV7QQkwWAMa+ 7v2w9P8jxA0oznXpflOhNwaFe2j4AzJ0W1oJgsniU3g61OIYrOD9Tnkta5Bp/fvT67PD WX411FiKxraNbKj7Yft6XeI+eNmPQrspnDEmxufzxbU28967XCHABXi0OYPSvLxtZGO1 YBsy4zKfxmuqXC3BGpTNWllr2kYcd4hIiQ7YaMqOKQui5mZtzKUFM+D9fxrGYjX1YmUd T8BsF34tBelp3/CX6AVv71DbtKhe46aeJj6duyFpsDEiW8l64EmrZcNX+9ykToohgu5/ XQTw==
MIME-Version: 1.0
X-Received: by 10.140.163.198 with SMTP id j189mr67763744qhj.36.1450385921194; Thu, 17 Dec 2015 12:58:41 -0800 (PST)
Received: by 10.55.14.211 with HTTP; Thu, 17 Dec 2015 12:58:41 -0800 (PST)
In-Reply-To: <20151217081948.153cafa35132a31a44794cb7@andrewayer.name>
References: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com> <20151217081948.153cafa35132a31a44794cb7@andrewayer.name>
Date: Thu, 17 Dec 2015 12:58:41 -0800
Message-ID: <CA+9kkMArP3f-rAcSBz4+Jxet2PBqUdLQt4z3qrFMhw45+0XGTA@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Andrew Ayer <agwa@andrewayer.name>
Content-Type: multipart/alternative; boundary=001a1139b8f29ec3b105271e49b9
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/eV31vMUWa8qyV1tzk3jodP6ci98>
Cc: "acme@ietf.org" <acme@ietf.org>, Eric Mill <eric@konklone.com>
Subject: Re: [Acme] DNS challenge spec doesn't support CNAME model
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 20:58:44 -0000

On Thu, Dec 17, 2015 at 8:19 AM, Andrew Ayer <agwa@andrewayer.name> wrote:

> On Thu, 17 Dec 2015 02:23:20 -0500
> Eric Mill <eric@konklone.com> wrote:
>
> > Since DNS specifies that a CNAME can be thought of as an alias[6],
> > this means that a service like Tumblr is capable of setting a TXT
> > record for domains.tumblr.com with the validation token for
> > blog.ericmill.com. A spec-compliant DNS resolver looking for a TXT
> > record for blog.ericmill.com should follow the CNAME alias first, and
> > then correctly identify the TXT record for domains.tumblr.com as
> > applying to blog.ericmill.com.
> >
> > However, the current ACME spec asks for the record to be set for a
> > prefix, not for the requested FQDN. And if I CNAME blog.ericmill.com
> > over to Tumblr, Tumblr does not have the ability to set any records
> > for a prefix, such as _acme-challenge.blog.ericmill.com. This means
> > that services which have users CNAME domains are not able to use DNS
> > validation to obtain certificates.
> >
> > I think that ACME should revisit the DNS specification and avoid
> > using a prefix for the TXT validation, to enable this use case.
>
> I disagree, because of a major restriction that DNS places on CNAMEs:
> CNAMEs cannot coexist with other record types.


​Do any of the relevant services support ALIAS or DNAME?

I'm also kind of wondering how many TXT records would build up at
something like domains.tumblr.com if it was the target for many different
blogs.

regards,

Ted



> If ACME didn't use
> prefixes, and you CNAME'd blog.ericmill.com over to Tumblr, you would
> lose the ability to yourself complete a DNS challenge for
> blog.ericmill.com, since no other record type could coexist with that
> CNAME.  This would pose a major problem for users of third-party
> services which do support TLS with user-provided certs but don't
> implement ACME.
>
> Meanwhile, there is a simple solution that does enable your use case:
> Tumblr can ask you to also CNAME _acme-challenge.blog.ericmill.com over
> to them.  It's slightly inconvenient to have to provision two CNAMEs
> instead of one, but this seems preferable to forcing some users
> to choose between CNAMEing to a third-party service and being able to
> use ACME themselves.
>
> > Also: I can't think of any changes offhand that would enable Let's
> > Encrypt to support a use case where users set an A record to point to
> > a third party service, such as for apex domains in the services
> > mentioned above. But this is another important use case, especially
> > for service providers which don't distinguish between apex and
> > non-apex domains in their business offerings.[7] It'd be great to
> > hear ideas for how that might be achieved.
>
> Again, just CNAME _acme-challenge over to the third-party service :-)
>
> Regards,
> Andrew
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>