Re: [Acme] Clarity: DNS validation domain delegated to another zone
Ted Hardie <ted.ietf@gmail.com> Tue, 09 February 2016 21:39 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3411B2A61 for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 13:39:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7zgO8b9kByI for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 13:39:16 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 886E21B2A6B for <acme@ietf.org>; Tue, 9 Feb 2016 13:39:16 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id s68so151005qkh.3 for <acme@ietf.org>; Tue, 09 Feb 2016 13:39:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=ay4LURr+GReIbI+dhY14DD9ICaT0AqfPkHqJmx4D2Go=; b=ZnB0vH2BsyWBK1yNMr3eGJkqmKJrI32VmCB8brSilJ9ZIy+QsbU2+KTnWM1cbbFQot K8RnP9xM2FdvMC1uROHWAOuKfRTaKTGcnDlC6WlDTNev16HzR7udQvfm8C6jt9MJ1y6R zWs7nKYFvqSQx0Sl3yGwzO5/wOP3sykWtxrhMMsi9U/96tfvBSjYncxe9/lL6qU9bayA Q0bG7LgFkY32uTjS6FHo0yDhLSl361ZtISJJr7PkxzpW6oLANrv4yVYa6rnUs9ZZJ/Yh BPFneAx74cqiXAZYkMzl5Q0eBa6UY808PFmE3AHX08SeZ0KyNMw8CQQs64PGQ1cv3ymB iVGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ay4LURr+GReIbI+dhY14DD9ICaT0AqfPkHqJmx4D2Go=; b=R4JPGlDAmNlbqllByArXeabOC2eAphfHrQhuevhpfT/SAGcRGTaR5qYMuVXNVUBxH1 nSxeHCaSiQ9UbKoHLsqaSrQsq01/9ozKme7JbwOTdWH0BHwbEJQAxzOt67TDZqNSKeoP /+UUo6wzykRXMdhFBb2s5t/TorSmPHlbAwyk8Q/fbqh8ldNYPrF1alItmXT/3bcp2weu P5gkT3qKR3ZsesqhzcDJAaL6tA1g1A3djo7nzzox7+ZiAIo1Kv30wvECg2zzH3SDZZkv EMWZf6S8TJ4spCEQDEZMua4G6/yFh7zHeNeTyiypOoayfXJ+6oN5QLuNvlxT9i4Akg0f dGLw==
X-Gm-Message-State: AG10YOTitxeDZtDFWv8CjXENW5PYZHfWAZPuxw2onQ1pPqyVo4O97vFs8iQE/9VQ1rInx5bk79pHb2RIx2TqLA==
X-Received: by 10.55.41.7 with SMTP id p7mr18256867qkh.86.1455053955674; Tue, 09 Feb 2016 13:39:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.55.14.211 with HTTP; Tue, 9 Feb 2016 13:38:56 -0800 (PST)
In-Reply-To: <CA+MmhbOv-QF2efXyaXin15OKuhaV3iwza-tzcUyDAwwm8-yB5Q@mail.gmail.com>
References: <CA+MmhbOv-QF2efXyaXin15OKuhaV3iwza-tzcUyDAwwm8-yB5Q@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Tue, 09 Feb 2016 13:38:56 -0800
Message-ID: <CA+9kkMC2eKu65uuyn+yvu1DOE=BttLtBLhAmngwerSO65y94hQ@mail.gmail.com>
To: Jan Broer <jasiu.79@gmail.com>
Content-Type: multipart/alternative; boundary="001a11406516284cf9052b5d2635"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/rcv1LVk3yF6i9VeuHm-6LHjwcac>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Clarity: DNS validation domain delegated to another zone
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 21:39:18 -0000
On Tue, Feb 9, 2016 at 12:29 PM, Jan Broer <jasiu.79@gmail.com> wrote: > Hello everyone, > > we are discussing whether it is technically legal to validate the DNS > challenge TXT record when the validation domain is delegated away from the > domain to a different zone. > > So, I find the phrase "delegated away' a bit inexact here. Are you concerned primarily with the case where there is an organizational boundary which is non-obvious (a la dbound)? With the case where there is simply a set of nameservers but no organizational boundary? Both? > Scenario: a certificate request for domain = "foo.bar.com", which would > have fqdn = "_acme-challenge.foo.bar.com". > > Assuming bar.com IN NS ns1.bar.com > > which has a record > > _acme-challenge.foo.bar.com IN NS ns.confusion.party > > and ns.confusion.party has the record > > _acme-challenge.foo.bar.com IN TXT "keyauth" > > The spec stipulates that: > > "the client must demonstrate to the server both (1) that it holds the > private key of the account key pair, and (2) that it has authority over the > identifier being claimed." > > One could argue that requirement (2) is not satisfied when the validation > domain is delegated away from the domain: Creating a record under the > validation domain is not indicative of control/authority of the (parent) > certificate domain. > > On the other hand, the spec does not specifically exclude this scenario. > > Just to be clear, in this scenario the client is capable of provisioning the namesaver at confusion party? > Thoughts? > > > regards, Ted > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > >
- [Acme] Clarity: DNS validation domain delegated t… Jan Broer
- Re: [Acme] Clarity: DNS validation domain delegat… Michael Wyraz
- Re: [Acme] Clarity: DNS validation domain delegat… Michael Wyraz
- Re: [Acme] Clarity: DNS validation domain delegat… Ted Hardie