Re: [Acme] dns-01 challenge limitations

Philipp Junghannß <> Fri, 11 September 2020 13:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0C9553A094B for <>; Fri, 11 Sep 2020 06:14:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FsLXMqoU5nVZ for <>; Fri, 11 Sep 2020 06:14:07 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4798B3A09A4 for <>; Fri, 11 Sep 2020 06:14:07 -0700 (PDT)
Received: by with SMTP id z23so13686039ejr.13 for <>; Fri, 11 Sep 2020 06:14:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F/wcrHw7HfudTSM3067GaHv9+xD5VJZw7pEiAS2HbQE=; b=QVSFOX3jNkaLSATC/exXwOFTaPzzAn9fDa1xBXeNayzSsuKmY/PuH+8w+y3+yscEUm wRm6x6QpItAhLDEy0w0C3TdvA1JiaABxMZ5b3j31XHOVriOkGcIS/3AaR/gC6NLqQp10 4ccQH17NttXRovG1mun7S4aECPxdmTct075PxVJqEshmf3PVsbXUvtGoq8hmAyssfZNA CLGKCTNKqeWLvoMiSkHrSNDOsuX7WD/lRuusAxl/S+p3FufpGG+QdPMBXlWtjNigQEGC dVl/k+0+nd9L21THh5YqoFjNtqs1vBk56UhY7f8F5kaKKmrY2pancj95RZ+K9Nb6Jwza LFZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F/wcrHw7HfudTSM3067GaHv9+xD5VJZw7pEiAS2HbQE=; b=FzJ3uffAYH2X6sbH7JrGjSMSDdVaf5AMySehXAawH5GoZykXKJcUbQtsQWyz9qh4aL dk0NnB1gEldgsiY9lSt5ZKe6dCE6fQEUa72yp52mCyo7FBYJSmNQLjKtYM8R7NBLsgjS FFbCq+zd5gtp8V2I+SYFJRloJeeqxggI1NDW/mAkIktLosbt+4k20SFOAZsi/SkDYuWc tmCxIq8XsOox6MHXUxKHIuRac6owKqLWGCBbYJNlnyjP+7600VkOxI7sQ7SYDnuNqAPR 2FEc5il/txKJNO/z+PBWCOYaYIJLfeplJ8RSNblXSGHqQPWwBhQVGCR5ESOG0upQDoVf 61QA==
X-Gm-Message-State: AOAM533lmA8HWzwucAT75bL/DO9qG643JyP5KGFHXMM92j4Tyg70PSU5 wFNJLqNADhSkJ2FdiIKo+GYRt1asGtAFpRbgsGs=
X-Google-Smtp-Source: ABdhPJx/ymr/O78rt+LWhv0fwgTcUvAzqdnxIcn18I6ctyvJ669ELMISJK5bC76HDhT94q5QTCmVTidx8Zzb4bwTihE=
X-Received: by 2002:a17:906:37c1:: with SMTP id o1mr1960699ejc.279.1599830045600; Fri, 11 Sep 2020 06:14:05 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Philipp Junghannß <>
Date: Fri, 11 Sep 2020 15:13:55 +0200
Message-ID: <>
To: Simon Ser <>
Cc: "" <>, "" <>
Content-Type: multipart/alternative; boundary="00000000000091b16205af097518"
Archived-At: <>
Subject: Re: [Acme] dns-01 challenge limitations
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Sep 2020 13:14:09 -0000

I have asked that question in the LE forum iirc the problem is that someone
could place that record once and as long as someone doesnt look at it all
the time one can easily miss the fact that someone can create wildcards and
stuff for that domain, so the point is to prove that dns access is given at
the time of issuance.
you could maybe use a different DNS Server which has a better API, and
potentially even can be used by ACME.


Am Fr., 11. Sept. 2020 um 15:09 Uhr schrieb Simon Ser <>:

> Hi all,
> I've been working on an ACME client acting as a TLS termination proxy. In
> order
> to retrieve wildcard certificates from the Let's Encrypt ACME servers,
> support
> for the dns-01 challenge is required.
> dns-01 requires the ACME client to complete the challenge by updating a DNS
> record. This is bothersome because this often requires interacting with the
> DNS registry operator. This is typically done via vendor-specific APIs,
> with
> access control handled via vendor-specific means (tokens, public keys,
> etc).
> I understand that it's difficult for ACME clients to prove that they are
> authorized to obtain wildcard certificates. However, have other
> alternatives
> been considered?
> For instance, it would be possible to require users to add a short public
> key
> in a DNS TXT record, then ask the ACME client to sign challenges with that
> key.
> Something like this would significantly ease the development of ACME
> clients.
> Are there specific reasons why dns-01 requires updating a DNS record?
> Thanks,
> Simon Ser
> (CC mholt, I figured you might be interested in this for Caddy too)
> _______________________________________________
> Acme mailing list