Re: [Acme] dns-01 challenge limitations
Simon Ser <contact@emersion.fr> Sun, 13 September 2020 09:13 UTC
Return-Path: <contact@emersion.fr>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01F83A0B76 for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 02:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emersion.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FS_A5yP_hXto for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 02:13:22 -0700 (PDT)
Received: from mail1.protonmail.ch (mail1.protonmail.ch [185.70.40.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 844203A0B75 for <acme@ietf.org>; Sun, 13 Sep 2020 02:13:22 -0700 (PDT)
Date: Sun, 13 Sep 2020 09:13:14 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail2; t=1599988400; bh=bmhPYNXvZN5JxeAAJUYz3LCZjx80Y3QWmPMzfTXLImY=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=U2uOQMksaUiBSf43xMvNgSqRXipVHYFN9b4r5SBlt2NpcY4BBdGNgKmoUqQBL0UVJ gDckc5Jb5tIUprl+ApiNmLakoKM/o1lt4eb33iVU8PMi4PIX7LrCgZcxDC5YluTF2g nd1rXrdgtQy3x2Ljg3fxd+qZnpJUstrsdbv6V3EaeKGp6Q5r0v6OOXrUtf11xyuheu p526bBitda/bAnt41I7wWI2NKZWBAV6avlO3oLMQOBm0Z1vB4kaORv/3q7iW4WmL+J ren/vnY/KbjChDPm3Z1btjdOYZ9yMZdZ9G8HaDvE/MYYOcyQ+nTJaPWFffXZfg79jN /IuP73OQPHCBw==
To: Ryan Sleevi <ryan-ietf@sleevi.com>
From: Simon Ser <contact@emersion.fr>
Cc: Philipp Junghannß <teamhydro55555@gmail.com>, "Matthew.Holt@gmail.com" <Matthew.Holt@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Reply-To: Simon Ser <contact@emersion.fr>
Message-ID: <mWZh6EINiNadii7akjphaUVgUqHjKRG_rbv6M91CxWsaCuPq7wIGJi8TfgsJWu6tFrSpnFViVNvL4XNzBEPKcc4iB10qy9Bt5lauORap1pg=@emersion.fr>
In-Reply-To: <CAErg=HFTsQmzacEP2K542nFWrJhcGVWE+Q2GndMnAvpSMDBCeg@mail.gmail.com>
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <CACHSkNq9D5tYpaYm+_336+7WkJxuRw6_zPgEUtfMqaqbDr+zww@mail.gmail.com> <RIUPM_G4wCA2zxzlMxWZp78us6ljwnWaD3n4L4kRuxYeZkEudsnLnD4b6TllCoUoTlJy0FzcJIKQ5HHuNkYPWbrkmy6yGyDQPuYubQqsrQ8=@emersion.fr> <CACHSkNrc6Gnqwfq2OzgEqvCCrhKb3SLO9YJOcDRTPV3s27OZJQ@mail.gmail.com> <CAErg=HFTsQmzacEP2K542nFWrJhcGVWE+Q2GndMnAvpSMDBCeg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/vGWVpdXno5cmhHOLfoOQ2DHOpeE>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 09:13:25 -0000
> On Friday, September 11, 2020 4:26 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > > > On Fri, Sep 11, 2020 at 9:28 AM Philipp Junghannß <teamhydro55555@gmail.com> wrote: > > > > > problem is obviously also the CA/Browser Forum has certain requirements, > > > and I guess having access to some kind of direct verification at the time > > > of issue might be probably one of these. > > > > This is the correct answer. > > > > While the IETF can certainly explore developing voluntary standards for > > other methods, the ability for CAs to adopt these methods is limited by CAs > > customers: the browsers and operating systems that include and use CAs to > > validate domain names on their behalf. > > > > The explicit goal by several browser/OS vendors is to obtain a fresh proof > > of control over a domain, and reduce/eliminate any caching or reuse. > > Delegation (by keys or persistent records) is definitely an area of > > expressed concern. My take is that in theory it's an understandable goal, but that in practice, this detoriorates security. In practice, ACME clients: 1. Have a static, long-term token stored in their configuration file 2. The token is powerful and can update any DNS record in the zone How come browser/OS vendors are fine with this, but not with a different approach involving an ACME-specific key? Sure, since this happens behind the ACME/DNS protocols and is an implementation detail, this isn't ACME's responsibility anymore. However, because browsers/OS vendors have this requirement of not allowing delegated proofs, we end up with a worse situation than necessary. Ultimately, ACME clients need a way to update DNS records to solve the dns-01 challenge. Ignoring and pushing the problem down to the DNS operators does not fix the root cause. If an ACME client needs to prove that they have authority over a DNS zone, they will need some kind of authorization/key/token or similar, be it vendor-specific or not. Why not acknowlege this fact and come up with a reasonable standard? > > I think the suggest of more uniform APIs for managing DNS is very much in > > line with those goals, and would help far more than ACME. Yes, no matter what ACME requires, a standardized API to update DNS records would be nice. Michael Richardson suggested that such an API (or a subset of) already exists (via secure DDNS), but isn't supported by most DNS operators (even if supported by some DNS daemons). Establishing a new standard involves talking to existing DNS operators, and ask them to implement the new standard. For them, the new standard wouldn't have a high enough return on investment: ACME clients already volunteer to implement each and every proprietary API. Even if a good standard ticking the checkboxes of RFC 5218 existed, I don't think it would be successful (no "Positive Net Value" for DNS operators).
- [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Felipe Gasper
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Patrik Wallström
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ilari Liusvaara
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Kas
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Jesper Kristensen
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Jacob Hoffman-Andrews