Re: [Acme] dns-01 challenge limitations
Philipp Junghannß <teamhydro55555@gmail.com> Sun, 13 September 2020 09:17 UTC
Return-Path: <teamhydro55555@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 013583A0B7B for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 02:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DY72-lbrPLb8 for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 02:17:53 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298503A0B76 for <acme@ietf.org>; Sun, 13 Sep 2020 02:17:53 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id a12so14619883eds.13 for <acme@ietf.org>; Sun, 13 Sep 2020 02:17:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GtzvHhf31MDUHRzSOiYB+Qvs4q5crVU7+UwZ91RY8Sk=; b=kvbC1wltxXILQp3NAY5P3HKz3Ybtt7HsRpUxMYQFFDijwcsHWKyEiLZRIyPW/XX0Da sKzKE5PE3NLyhFpGegstfZjqvVMU7TE15mwXOXVvUD3Wj5oWaUw0XmxBCEX0oWlTwNCO X65gd2zDvb9nqtoxE273LayKm47BIGuUuKyRzRzTWzH5rC42v5F+GafxkngC+oCheUiR w0OEOaRcXp2pjtXUkAsOc9kf2UMhbav0fEv1yq1j/uHo++MA08h8t7QnbmHNSgf+GSRW EOFSF4BumRCpD01QhDFA/J4P/GeHkEEBotvKytGzkSTIrBGOxC9hdIHLK/NjFYOUULPb ZYSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GtzvHhf31MDUHRzSOiYB+Qvs4q5crVU7+UwZ91RY8Sk=; b=cEp0w8n87PuSV/xtB65qD5dnTGcYsE6d+HgoZYxbAXWhgSJmaMSxm8hQ9r6SXxd4FW jqL2LS99u6NLmpJcSrnFBX1TIZ5jfM46c44soCck5tbKaTJTMEA8F1Nx0Q2sdken6SfW VZMo9wQ6HhuOyP2QknKr7Fba3GI0FzNYYvoC1ZgtwFKF7sGWpNbezeyKBbk/g+OM3fQ5 zf/1GFrbNn/QrlMJPVb7lSDuAqgGBU42+lkCVch++/ADHkHieDRoPiW+n0ziHmib6/vo 4NskLl8pqsn3b6UiKWOO7p0NCSr1CnSF0YKrbrqGHncR+gXcg+LWxOr0JM1R9uxZ3hRh itAA==
X-Gm-Message-State: AOAM531aoho/pOs1JYsX0imN1oUKQsdMSyGNHuu2agP44DLg1McXyF3/ MpSaQ+mrFnP0zfQkqoA0W6g4HZNQRquNdTtvWY0=
X-Google-Smtp-Source: ABdhPJwnaI30M8U7mFzmi1g1W4zYenxjhEy6pdIQJ6VbNNd+II5aibJXA8rp9wIhj4S14ZpZsZcQQSLvMVIzVqd3+vc=
X-Received: by 2002:a50:e78f:: with SMTP id b15mr12061586edn.104.1599988671572; Sun, 13 Sep 2020 02:17:51 -0700 (PDT)
MIME-Version: 1.0
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <CACHSkNq9D5tYpaYm+_336+7WkJxuRw6_zPgEUtfMqaqbDr+zww@mail.gmail.com> <RIUPM_G4wCA2zxzlMxWZp78us6ljwnWaD3n4L4kRuxYeZkEudsnLnD4b6TllCoUoTlJy0FzcJIKQ5HHuNkYPWbrkmy6yGyDQPuYubQqsrQ8=@emersion.fr> <CACHSkNrc6Gnqwfq2OzgEqvCCrhKb3SLO9YJOcDRTPV3s27OZJQ@mail.gmail.com> <CAErg=HFTsQmzacEP2K542nFWrJhcGVWE+Q2GndMnAvpSMDBCeg@mail.gmail.com> <mWZh6EINiNadii7akjphaUVgUqHjKRG_rbv6M91CxWsaCuPq7wIGJi8TfgsJWu6tFrSpnFViVNvL4XNzBEPKcc4iB10qy9Bt5lauORap1pg=@emersion.fr>
In-Reply-To: <mWZh6EINiNadii7akjphaUVgUqHjKRG_rbv6M91CxWsaCuPq7wIGJi8TfgsJWu6tFrSpnFViVNvL4XNzBEPKcc4iB10qy9Bt5lauORap1pg=@emersion.fr>
From: Philipp Junghannß <teamhydro55555@gmail.com>
Date: Sun, 13 Sep 2020 11:17:40 +0200
Message-ID: <CACHSkNpy7-ecN81in9ZXMsBguV8Fp0PxZp+dy6Tr_n_CLvtmUg@mail.gmail.com>
To: Simon Ser <contact@emersion.fr>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Matthew.Holt@gmail.com" <Matthew.Holt@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000069ef9205af2e6410"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/wTp4ZaqOpWMZbQcUQ0K-BO5aUa0>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 09:17:55 -0000
maybe one could make it so an email specific to the domain that is verified could be used instead to just screw the entire DNS thing? I mean CAs have used e-Mail based issuance over the address in the whois (no longer practical due to increase of whois privacy by default) or the standardized hostmaster etc addresses. that way any given acme client would only need access to the inbox of that specific mail which probably is a whole lot easier than DNS stuff. Am So., 13. Sept. 2020 um 11:13 Uhr schrieb Simon Ser <contact@emersion.fr>: > > On Friday, September 11, 2020 4:26 PM, Ryan Sleevi <ryan-ietf@sleevi.com> > wrote: > > > > > On Fri, Sep 11, 2020 at 9:28 AM Philipp Junghannß < > teamhydro55555@gmail.com> wrote: > > > > > > > problem is obviously also the CA/Browser Forum has certain > requirements, > > > > and I guess having access to some kind of direct verification at the > time > > > > of issue might be probably one of these. > > > > > > This is the correct answer. > > > > > > While the IETF can certainly explore developing voluntary standards for > > > other methods, the ability for CAs to adopt these methods is limited > by CAs > > > customers: the browsers and operating systems that include and use CAs > to > > > validate domain names on their behalf. > > > > > > The explicit goal by several browser/OS vendors is to obtain a fresh > proof > > > of control over a domain, and reduce/eliminate any caching or reuse. > > > Delegation (by keys or persistent records) is definitely an area of > > > expressed concern. > > My take is that in theory it's an understandable goal, but that in > practice, > this detoriorates security. > > In practice, ACME clients: > > 1. Have a static, long-term token stored in their configuration file > 2. The token is powerful and can update any DNS record in the zone > > How come browser/OS vendors are fine with this, but not with a different > approach involving an ACME-specific key? > > Sure, since this happens behind the ACME/DNS protocols and is an > implementation > detail, this isn't ACME's responsibility anymore. However, because > browsers/OS > vendors have this requirement of not allowing delegated proofs, we end up > with > a worse situation than necessary. > > Ultimately, ACME clients need a way to update DNS records to solve the > dns-01 > challenge. Ignoring and pushing the problem down to the DNS operators does > not > fix the root cause. > > If an ACME client needs to prove that they have authority over a DNS zone, > they > will need some kind of authorization/key/token or similar, be it > vendor-specific or not. Why not acknowlege this fact and come up with a > reasonable standard? > > > > I think the suggest of more uniform APIs for managing DNS is very much > in > > > line with those goals, and would help far more than ACME. > > Yes, no matter what ACME requires, a standardized API to update DNS records > would be nice. Michael Richardson suggested that such an API (or a subset > of) > already exists (via secure DDNS), but isn't supported by most DNS operators > (even if supported by some DNS daemons). > > Establishing a new standard involves talking to existing DNS operators, > and ask > them to implement the new standard. For them, the new standard wouldn't > have a > high enough return on investment: ACME clients already volunteer to > implement > each and every proprietary API. Even if a good standard ticking the > checkboxes > of RFC 5218 existed, I don't think it would be successful (no "Positive Net > Value" for DNS operators). > >
- [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Felipe Gasper
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Patrik Wallström
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ilari Liusvaara
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Kas
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Jesper Kristensen
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Jacob Hoffman-Andrews