IETF Logo Mail Archive

Re: [Acme] DNS-ACCOUNT-01 Updates

Corey Bonnell <Corey.Bonnell@digicert.com> Fri, 12 May 2023 13:35 UTC

Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D20EC14CE4D for <acme@ietfa.amsl.com>; Fri, 12 May 2023 06:35:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_IlStFmIiTL for <acme@ietfa.amsl.com>; Fri, 12 May 2023 06:35:12 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2071c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e88::71c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23F97C151709 for <acme@ietf.org>; Fri, 12 May 2023 06:35:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Udghn+Cv9Ty6EluH2gfzvB0iLiWZPWAdUG3EBCma5viyyCU8CKUOiHyJ2fpDlm2r7IY68hBOhpiumz1uj39LHjCl+lAoZG/IRXk8fEsyoJ8ZfAXn3kTiOlh2Su6x5u6N91EF4G7lxH9DatBRSTYjkrlfET5h/9u4G1kXNNV1bdmPtaPiol3U/Aro8qS8cxjMIhX/h3pmhxysemcKk4VlOpoRWaY8ehfwCnK24BQ31K/pb9m0Dd1Z9hdUbtcD1ZZ129HXJRZz0iLhjuaQjyJo/3UBdp49huqjW1D1J8sBsUzIsdZqCF864IsfMYvwDbgB33t6ooe/s/lzIablpvpnEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xpqCNPv21dfm4nX0W3ZzZeJl35IDMAcQzcb5Gs/Wjhg=; b=Y5haCm+RTQoui/1BdX9D9ONvLbsWX5Itc0bFIqaVNB+rHcGehS3dgQ/Z09SLgnu647dC2CnlPrrcBguS9i1Ir6/zYUL4eEszlIMvY6l7x95EhWCz51JPFQCZbKXGfdpJdaTjvb+7AQJkvFXXjPdlykopQYKTH5Fj5R28lkFyV28p6bHoWDOsKXNRvfndCzTiJPTyNFYv7+oc/3p31pGsbS9q6p6LBZausZqcauvc9SUHTwqBtXCg/lsdnUQcajBqobPvvNccpF8I1Izf8MAFZ6yjBD6momHYWOLS/dxyhCv9OLEYuQzzPNaxSa1qPa/s/08bQ+GO6sISHtriVIlO7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xpqCNPv21dfm4nX0W3ZzZeJl35IDMAcQzcb5Gs/Wjhg=; b=qbaQ2/1pjSauPB6DnBqrhz9pgtvhbT3LcKJqVkYBrQ2McHGFPQpmx76ytCQWUOZFpj96oSir4sG7deyfthvITZX5ViccH1Sme6koS+pyNFc267HTNw0ykl2Ev7XgCSCNOvzyytndMwBoN+glyDUgqoo++4m/hm+sp9jFjTssygE0TkTzOxuj4qiMpzSC04KRLbak2YaksTCfkQ3pwdx64SirQ1tfZMLy0qwMZXu1ocflO/4gdQEBSuzvZ+8F33LroCe2Xuc4R4PcacZ3coyFwKHX+SGUO7PhArlxs8F3XLzQZvV7wjRQkQo3P+9M8F5U6JAlXT6eBYDz61QsdM+bDg==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by CH2PR14MB4006.namprd14.prod.outlook.com (2603:10b6:610:7c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.22; Fri, 12 May 2023 13:35:07 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::8b21:54f8:a0d2:9f9b]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::8b21:54f8:a0d2:9f9b%6]) with mapi id 15.20.6387.020; Fri, 12 May 2023 13:35:06 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Antonios Chariton <daknob.mac@gmail.com>, IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] DNS-ACCOUNT-01 Updates
Thread-Index: AQHZhGO43U+IXlFtL0yBB34kilKCmq9WmI+A
Date: Fri, 12 May 2023 13:35:06 +0000
Message-ID: <DM6PR14MB2186CC4C899D9EECEFA055CE92759@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <22209596-7C4D-42F4-9415-98F106047C33@gmail.com>
In-Reply-To: <22209596-7C4D-42F4-9415-98F106047C33@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|CH2PR14MB4006:EE_
x-ms-office365-filtering-correlation-id: 1fe265bd-fc10-4074-e473-08db52edb2e3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BTVtd4V2uS+Y841mNworEesCxQdzQVGKXsepUiJNss+Dg8xksd0YdBdJLWhJsjjrd5AMvOjMeZFvgIXoL/lkXuwZFNSp8hjbJuEdR6FtEaFe6r+ZXEsCyBoT58OI1qGOs1bch4Yb3TIDJwaj0MoWN2NrmzM0Qf4PF7pKJu1PaDSqp4GQd1DyXlr75wIMUE3EAqmK6e7sQw+R0XTuGPVVpbioolSSUPBV2hjviKBQI7XcKs2f3bQ14cEzaSYK1yULeocU1QP8wBFZLWphrAizTE2OuOHpCOm8USuN+XoxkYuAeoaT0v3U+cHMI658HJXJQO5UUWcRCTwbHh7u8qR8oFj7gTD3OXzoTuyc7uqF2Zhcs0aVnN28LRUjs4Kso1szBffbNrIf3Jun+vMVQ5AUReBwPTQAV1JdTD0Rvqw0DhMn9Pe8ZVwdKG7n0lyqwQk/9IxuktRaT0J24odqsScD4bgygarftAbsIaZuXauukeMVw1iVPMXEKlZ8OV7C85kL7QQbGv0X12apKvL77sdgj3gsNgz2gOf1rRNeE9ZgwwDuTeKSuDkO51/A/Tsj8NAZ3CUdcLpRRuORk5krNBst4ki0QpgeWbUr/JGlOEbGWMs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(346002)(376002)(366004)(39850400004)(396003)(451199021)(86362001)(38070700005)(33656002)(166002)(316002)(110136005)(66446008)(66556008)(66946007)(64756008)(76116006)(66476007)(966005)(7696005)(478600001)(55016003)(71200400001)(21615005)(8676002)(8936002)(52536014)(9326002)(15650500001)(5660300002)(2906002)(41300700001)(122000001)(38100700002)(99936003)(9686003)(26005)(6506007)(53546011)(186003)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WGqWZajnfM3sHE+whRHtotVu4lmf8+YTSfEGy42UwqdqXXTyUXlaSnzNc489FTfrQqOsu6s4prInuwtd4Ln/dCiOWFKmv6OF/rjj6m4rkGudvya0/S0fysnEH0Z9STR3nPXrd1thxLPtF1heM/NWiuOLeDi0ztXvfxgYTnvO3h9/Q7XFBbltf2dFIRQvU9s21Fi+1SG5DK7MZXseFPycAPcUIdwBeWJvCG4D+n27REgM48LvhSd3s7jexbYiQz7r0PnplpkIK9RhoPw29aP5BFBua51WuiN4a80UUdw3FCAtdstnF90VrL+0vISd8SnjOuWcOSljg8ZItQjp4yh5FuqJDuluV6BHClceo6LYt880/fdEuRuP+1jtOjh5GPCXrDRHRvL0fcjK5wTNlxvRz+LPmNGrV7uGeC+walnmC1vX2AdsQrGE1mnc39Gl1iA/yYrPKy2A1w+UBrMvnHFoxtRqyzrre3UnRs5G4HYASBD3aj2HApjXX44Spl+yNG4OZr+Hp/CEi48M5pkyULpTOu5wB9D/PBzR+ZnehLCY6HYm0W4Z0WEKvP/eQwqXLovaS677PMN/1uqOHA6lLDwQOCCMsqMsTqHW9FupvrRTGjHFN0uLrnTLG1cbo8t7MwejTYed+crpD8SIxM11KnkxqJJW3vZz4xDZmSVDsI2iGTCt5WtzCiW35Sd4thmtWNPuc7GAL83NJB6TZQtgOleGmdAanZjVT81qJFB8mwxZhbYwuMSZWkpYRWMEhsOEnCgkYMWzMTKcbhjAh2WqL8h/NNYzX+qufdUG758W+/j/lJ7udJSJ+N1XNrXhypAwxy2s/0D6HB8w2zTsHNp8QApl+fS/tRan3UES34BV0AtMdpQG081vRsX71j9tcSOaGBIzhoz/y8+vaSYHrTZViMPMhQ28iutx5o9+xTO+BjVq1vQsrsnWWhcG6Aw2QnkKoT1KW7j9rJdaN3ZKxW+OLBVBCsW40sAs2z1vD7tvtpofNU8qiP45a//HysCIqmEnMD9oQFZh9J0T9ofbDf0s9VHwnvIcQ6AJHKi6fyGpx6Ebz9T1Z6lBmzueN0Tr7LK8uUoeD2rNBHijtPrywxZk+6tG/srB08no75EBDD67oi3TlTWsfY/tO8F1ORXNaXeYKzWJby0cTJ0BxvsmECgoJJABxOGSqKXnJOeLXDJzFfhyCdw0TRzrNMoOFg8fWtAMizsLHglorAbuMI/Qd7r265QcSC592/CAm+5kcZbz5nkhmhgy2KzOycTcK5+ggGFzsTorDlI+jUD/VSqASgvxh9EnUrzSNwIaL4+kZKySJOixF8Pdgkh4RLBwFbDN/ig+FiDTjmmcWAlgi7RyT9db0Or1E0rd2TLWrJNledhZF00ogk7W8qM5JN5TpPhj5uqjlveqfGvnzjZOD1odZ2g6O1lsG6eBjmFZfKbmShtsf/n88buH8TnKiZFqR1y30hu/5eVvitPb3SNUcEgFB3iBnVz09+aaG4d3kjcVkU+acqqF1CD5B/lEln9HBRmNG28k9bp4y3FCa/7SpWvZEzAYMy4ikzDuS44GKZnX1wtlpDwcTlQcf6ezIxVYsp05o5YI7mw/
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0100_01D984B5.086983A0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1fe265bd-fc10-4074-e473-08db52edb2e3
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2023 13:35:06.4708 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uIftpMISWGqizqut0jXUsSMxx4sog9h7nZwLpVVJDvV0c+rMM1LwSmNC5TGBeufG2CrQjPFG6kTChBzkBPsIdZrXCmYsavAryvUboCG+GMs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR14MB4006
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/vr-fWQ1m_0IFPy72gd4-Lv3oWGY>
Subject: Re: [Acme] DNS-ACCOUNT-01 Updates
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2023 13:35:16 -0000

Hi Antonios,

Thanks for raising this draft again, especially since automation of domain validation currently is an active topic at the CA/B Forum validation sub-committee. Comments inline.

 

> There was a suggestion to rename this challenge to DNS-02. This is something that we had rejected back when we created this challenge, however it has been suggested several times, so we are happy to reconsider this. It may be the right choice.

 

I prefer “DNS-ACCOUNT-01”. “DNS-02” conveys no information that this method is very different from “DNS-01”; it’s very easy to be misled that “DNS-02” is merely an updated version of “DNS-01” based on name alone.

 

> ACME Clients need to calculate the correct label. Although we provide the algorithm, a bash script, and test vectors, anecdotal data from ISRG suggest that some clients still mess things up (implementing RFC 8555), so this is another value where this may happen. An easy solution here would be to share the expected label with the client, but we decided against this to protect against cross-protocol attacks, and also to protect the client against an ACME server giving it arbitrary DNS records to change. If clients calculate this independently, they don’t need to trust the server.

 

I agree that the server shouldn’t be providing the label. Perhaps requiring that the account URL be normalized according to RFC 3986, section 6 prior to hashing would alleviate some of the interoperability issues? 

 

> The label is longer, so some very very long domain names may no longer work. Since this is 17 characters longer than DNS-01’s label, anything approaching the various limits (of DNS, etc.) may break. For example, if in DNS-01 you end up with a 236-253 character domain name to check for the TXT record, then DNS-ACCOUNT-01 will go over the limit and won’t work. We don’t consider this to be a major problem. We’re also not aware of many domain names in the 236-253 character range.

 

I don’t see the current label size as an issue either. A brief glance of certificates with 236+ character dNSNames shows this is not a concrete concern: https://search.censys.io/certificates-legacy?q=parsed.extensions.subject_alt_name.dns_names.raw%3A%2F.%2B%7B236%2C253%7D%2F+and+parsed.extensions.extended_key_usage.server_auth%3A+true+and+%28tags.raw%3Atrusted+or+tags.raw%3Awas-trusted%29

 

Thanks,

Corey

 

From: Acme <acme-bounces@ietf.org> On Behalf Of Antonios Chariton
Sent: Thursday, May 11, 2023 7:52 PM
To: IETF ACME <acme@ietf.org>
Subject: [Acme] DNS-ACCOUNT-01 Updates

 

Hello everyone,

 

I’m sending this e-mail to the list to update you all on DNS-ACCOUNT-01 and the news we have since the presentation in IETF 116.

 

You can all help by reviewing the text[0], these updates, and sharing your opinion in this thread here!

 

The CA/B Forum 2023-05-04 meeting discussed DNS-ACCOUNT-01 and three things came out of it, as it is evident in the minutes[1]:

 

1) This method is compatible with the CA/B Forum Baseline Requirements that are binding for all WebPKI CAs, specifically section 3.2.2.4.7 for agreed-upon change to a DNS record. This means that CAs can start using this standard immediately, and there are no other dependencies. The design seemed to be good in its current version. Obviously, quick changes to their CP/CPS may be required, but this is not blocking and unilateral.

 

2) There is a documented need for various usecases where this challenge would help, from several stakeholders, and evidence that it could be beneficial to the ecosystem and its development. It allows ACME to be used in even more situations where more traditional and non-automatable methods had to be relied upon.

 

3) There was a suggestion to rename this challenge to DNS-02. This is something that we had rejected back when we created this challenge, however it has been suggested several times, so we are happy to reconsider this. It may be the right choice.

 

There’s no published precedence of what -02 means right now, so it’s unclear whether it is a second option, or a next generation / improved challenge. We never planned to replace DNS-01 with our challenge, we always intended to add more options, and cover more use cases. Here are some technical “disadvantages” of this work vs DNS-01:

 

1) ACME Clients need to calculate the correct label. Although we provide the algorithm, a bash script, and test vectors, anecdotal data from ISRG suggest that some clients still mess things up (implementing RFC 8555), so this is another value where this may happen. An easy solution here would be to share the expected label with the client, but we decided against this to protect against cross-protocol attacks, and also to protect the client against an ACME server giving it arbitrary DNS records to change. If clients calculate this independently, they don’t need to trust the server.

 

2) The label is longer, so some very very long domain names may no longer work. Since this is 17 characters longer than DNS-01’s label, anything approaching the various limits (of DNS, etc.) may break. For example, if in DNS-01 you end up with a 236-253 character domain name to check for the TXT record, then DNS-ACCOUNT-01 will go over the limit and won’t work. We don’t consider this to be a major problem. We’re also not aware of many domain names in the 236-253 character range.

 

3) If an ACME client for whatever reason loses access to the ACME account, this “set and forget” DNS label now has to change. Things would break here with other standards too (if you need an EAB token, you can’t create a new account anyways, if you limit the ACME account via CAA records, you can’t issue, etc.) but DNS-ACCOUNT-01 would just add to the things that would have to be taken into account. We don’t currently consider this a huge issue, but if you think it could be, let us know.

 

As you can see, these 3 tradeoffs above had to be made, to ensure we can cover more use cases. We think these are good tradeoffs for an additional ACME challenge, but perhaps they are not for an “upgraded” one.

 

What do you think about the naming? Do you perceive “DNS-02” as an improved version, or as a second option? We are happy to rename this to DNS-02 and we have no plans of breaking any ACME server or client already using DNS-01 :)

 

Thanks for reading through this, and I am happy to hear your thoughts and get reviews on the draft, so we can move further with this work.

 

Antonios Chariton

Independent Contributor ;)

 

- - -

Links:

 

[0] : https://archive.cabforum.org/pipermail/validation/2023-May/001892.html

[1] : https://daknob.github.io/draft-todo-chariton-dns-account-01/

v2.23.0 | Report a Bug | By Email