Re: [Acme] On DNSSEC
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 06 December 2015 02:31 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C744C1B2F12 for <acme@ietfa.amsl.com>; Sat, 5 Dec 2015 18:31:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rHq3-8i9eKCA for <acme@ietfa.amsl.com>; Sat, 5 Dec 2015 18:31:48 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEB021B2F0B for <acme@ietf.org>; Sat, 5 Dec 2015 18:31:47 -0800 (PST)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 91434284809; Sun, 6 Dec 2015 02:31:46 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <20151029180938.GA4257@andover>
Date: Sat, 05 Dec 2015 21:27:28 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <713A6746-413F-4211-ADCB-A68A5607D32D@dukhovni.org>
References: <20151029180938.GA4257@andover>
To: Hugo Landau <hlandau@devever.net>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/pEInROZKhCvGXsf2fm6wN54-uss>
Cc: acme@ietf.org
Subject: Re: [Acme] On DNSSEC
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 02:31:50 -0000
[ Better late than never? ] > On Oct 29, 2015, at 2:09 PM, Hugo Landau <hlandau@devever.net> wrote: > > DNSSEC > ------ > > Using DNSSEC for DNS lookups by ACME CAs removes a significant attack > vector for domains which are DNSSEC-signed. +1. I too would like to suggest that ACME CAs not accept unvalidated proof of possession for DNSSEC domains (I have a list 100k domains that are DNSSEC signed, from an overall sample size of 5-6 million domains, so DNSSEC deployment seems to be around 2% based on that sample). For this to be secure, such domains might need to be restricted to validated DNS-based proof of possession. Email to "admin@" is not nearly as well authenticated. > DANE > ---- > > This leads to eight possibilities, but I think the general principle > that should be adopted is this: An ACME CA should not issue a > certificate if that certificate would not be valid under the TLSA > records currently present for the domain. This seems too strict. Provided the *current* certificate matches the TLSA records, it should be possible to obtain a new certificate, for which the domain owner will then publish new TLSA records. Of course if the TLSA record is "DANE-EE(3) SPKI(1) SHA2-256(1)" and the certificate is being replaced without replacing the key, then the new and old TLSA records will be the same. There are already a few SMTP servers with DANE TLSA records and LE issued certificates that will start to expire in February through March. I am waiting to see how the folks operating these sites will handle the automated rotation of LE certs. My guess is they'll end up with incorrect TLSA records, and will have to swich to "3 1 1" and configure the LE certificate rotation to not automatically update the key. Of course "2 1 1" may be a better option if the issuer public key is sufficiently stable. > Since when a user requests a certificate from an ACME CA, the certificate > has not been issued yet, the use of (*, End Certificate, Whole > Certificate) is infeasible and would prevent any ACME CA from issuing a > certificate. (*, End Certificate, Public Key) can be used. Not necessarily, if what is being checked is the current rather than future certificate, but of course "3 1 1" is operationally much simpler and what is recommended in RFC7671 Section 5.1. > Where TLSA records have been provisioned, this seems like a good case to > disable the use of HTTP, DVSNI or DNS TXT challenges. Essentially, TLSA > should trump everything, assuming it is properly DNSSEC signed — or > perhaps even if it is not? Some sites will use LE certificates only for SMTP and not HTTPS. Which means that "_443._tcp" is not the only relevant TLSA RRset. But this opens up the whole can of worms around the WebPKI and what its certificates mean for services other than HTTPS. For now we'll likely continue to ignore this inconvenient truth. -- Viktor.
- [Acme] On DNSSEC Hugo Landau
- Re: [Acme] On DNSSEC Melinda Shore
- Re: [Acme] On DNSSEC Tony Arcieri
- Re: [Acme] On DNSSEC Stephen Farrell
- Re: [Acme] On DNSSEC Eric Mill
- Re: [Acme] On DNSSEC Viktor Dukhovni