IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

Erik Nygren <erik+ietf@nygren.org> Sun, 08 June 2025 15:30 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 864D7325FFB0 for <dnsop@mail2.ietf.org>; Sun, 8 Jun 2025 08:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.783
X-Spam-Level:
X-Spam-Status: No, score=-1.783 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URI_HEX=0.1] autolearn=no autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id na7EKAVXw4bx for <dnsop@mail2.ietf.org>; Sun, 8 Jun 2025 08:30:02 -0700 (PDT)
Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7BF01325FFA8 for <dnsop@ietf.org>; Sun, 8 Jun 2025 08:30:02 -0700 (PDT)
Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-32ade3723adso24893421fa.0 for <dnsop@ietf.org>; Sun, 08 Jun 2025 08:30:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749396601; x=1750001401; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5ZJRP3ENaiXKtTUehTb1j1y501TRF4zAIDK2hsSaWCI=; b=Wo41W2xi6TQbmduRSf+kAjUOb+a+34d8ydl5rxghbxZDaHm4ZwkoxdUVUEkzE/gWh8 QBhzULL4KIEB8tun9c/2KYAd01CuQiAuN/3cPvn9IARlfQwi3TBY9+gecMfNN1/a8zpp CDaF5MeoPhvbIpJyjyhs/yDvhLc9GHFUAkOWJnD2Iw9oYub/0ffj2x2XDaYxwIcNPuDz j7f2fljZiWgo1FwW5ojDXIpQ0L74ro8g+ppZt3NF2Tn5Wx0PeQ0WoKcBubG94tKPWBP3 SBy+xbW1ouofJT0lCs1HCNvygYJNpkUQYsJ/8zt63FRVM1b5D1A/DXrWCedtKsz16MuL CIjg==
X-Forwarded-Encrypted: i=1; AJvYcCUtKcb403Mfu5gWLC1D4fQCZuzN1u64skaWXHYa2XHimKd2bq2Eqb/58CRvjY1CrAB9EKf31w==@ietf.org
X-Gm-Message-State: AOJu0YxBeo3gNF1ufrW4gKwHjpMgQ2unGY525rPFROyumH32Vb6IGYc6 WZ7rA/Fys50hIeTQhG9/LJTfL6nw1de+sD0lkQbXiUtx/nqjOYxCuE7hUrbaWVJNZ1zLkJ2eev2 86ccgFmQgt8uKVD/MDPazzj5K6bHPUYI=
X-Gm-Gg: ASbGncvbofW63IboihJJ8MdrADQESc6C4jhsfPFciCBwkvP3sztxZ37hxcF1ZZWL8qL NLhiKig6MtsRV2QmMqhrSHRWHzCz3eBUUCedYg4vceY0XYMYqtV7lntA5LCOa69kEx6suXNioG8 wwL6qW+lk7165dW5cRld38TM9IqkPz/CX+lbLSoCbVdkkwWj7ygJWs9AyzIp1Sb/SCNGMkN06Be /vM
X-Google-Smtp-Source: AGHT+IFyhKuDuBXy/leT5CTeApvSvEMnzdJHsVeIdrQOkTDBjDKJOVUV6iiUvGDURgcnInbonNnMwswUSvG0pGB1wAA=
X-Received: by 2002:a2e:a302:0:b0:32a:648e:7ed5 with SMTP id 38308e7fff4ca-32adfe19e29mr23038221fa.36.1749396600782; Sun, 08 Jun 2025 08:30:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJhS4_1P5Bqu-0YWWr9jkxBOt40rx5804UAUp7DhAsc31g@mail.gmail.com> <40408285-974A-4790-B653-DF4C3798F1E0@nohats.ca> <F7E48A3F-DA2C-4E54-92DA-90CD0EDE78DA@icann.org> <478e1879-93d4-4b0b-a99f-bbdb422bc073@taugh.com>
In-Reply-To: <478e1879-93d4-4b0b-a99f-bbdb422bc073@taugh.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Sun, 08 Jun 2025 11:29:48 -0400
X-Gm-Features: AX0GCFvPFmDFwvIsPMxm844fTNZf7XDFY1SxP6Pr6kzluAOVnoSir0Ey-mNhYow
Message-ID: <CAKC-DJh4ck_okAmdssMTfj5iq9X2o_-_Z6MzLQRSfZyjUJ3t6g@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="000000000000f6034c0637112273"
Message-ID-Hash: 7I6GSP5XQHYQ4YPAARCSINHVNRYQB3MA
X-Message-ID-Hash: 7I6GSP5XQHYQ4YPAARCSINHVNRYQB3MA
X-MailFrom: nygren@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tMhOlGbbC7kyy0KBneSS4toYHU0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

> This is an OK start, but it would be better if the draft covered the
actual security issues (on-path attackers) and dealt with time more
carefully.

Good point.  I've proposed some text on this as part of my PR:
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/commit/ac42020800b807dc4d71f70b1145cc86e7a1e268


> Persistent validation doesn't need the token that is needed by the
initial validation.

As mentioned by John, this is critical to include for persistent
validation.  It's a different token (as shown in the draft) but it needs to
be there and it needs to be bound carefully to the User (or User account)
at the Intermediary.  Otherwise the dangling CNAME risks are much much
higher.

Rather than saying "I authorize this action" in a one-off validation,
persistent validation is saying "I authorize this User/account"

I wonder if it would be helpful to explicitly use this "authorization"
language in the draft?

> The new material still doesn't explain why introducing a new mechanism
(intermediaries) should be part of a Best Current Practice RFC.

For the intermediary mechanism being a (best? but at least common) current
practice, here are a number cases where this persistent CNAME to a service
that does one-off validations is being used today for ACME certs by
large-scale CDNs, smaller entities, and an open source project:


   -

   Akamai - Customers CNAME _acme-challenge.domain.com to
   validation.validate-akdv.net
   https://techdocs.akamai.com/property-mgr/docs/add-hn-with-default-cert-la
   -

   Fastly - Customers CNAME _acme-challenge.domain.com to
   token.fastly-validations.com

   https://docs.fastly.com/en/guides/setting-up-tls-with-certificates-fastly-manages
   -

   Cloudflare - Customers CNAME _acme-challenge.domain.com to Cloudflare's
   validation URL (for partial DNS setups)
   https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/
   -

   F5 Distributed Cloud - Customers create a CNAME record for _
   acme-challenge.demo.f5lab.com with the value provided by F5 Distributed
   Cloud

   https://f5cloud.zendesk.com/hc/en-us/articles/24624288087959-What-is-an-ACME-challenge-and-how-should-I-enter-these-records-in-my-DNS-zone

   -

   Google Cloud Certificate Manager - Google's Certificate Manager uses DNS
   authorization where customers add CNAME records like _
   acme-challenge.myorg.example.com pointing to Google's validation domains
   for certificate provisioning

   https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth

   -

   Certify DNS - A cloud hosted version of the acme-dns protocol that uses
   CNAME delegation of ACME challenge TXT records to a dedicated challenge
   response service
   https://docs.certifytheweb.com/docs/dns/providers/certifydns/
   -

   acme-dns (open source) - An open source limited DNS server with RESTful
   HTTP API where customers create CNAME records like
_acme-challenge.domainiwantcertfor.tld
   CNAME a097455b-52cc-4569-90c8-7a4b97c6eba8.auth.example.org
   https://github.com/joohoi/acme-dns

Given how common it is it seems to be important to cover how to do this
safely (eg, but having a high-entropy binding to an account identifier in
the CNAME target).

Best, Erik




On Sat, Jun 7, 2025 at 9:33 AM John R Levine <johnl@taugh.com> wrote:

> On Fri, 6 Jun 2025, Paul Hoffman wrote:
> > This is an OK start, but it would be better if the draft covered the
> actual security issues (on-path attackers) and dealt with time more
> carefully. Persistent validation doesn't need the token that is needed by
> the initial validation.
>
> Why not?  Let's say I have three accounts with FooCo and then cancel one
> of them.  It needs something more than "I have some relationship with
> FooCo".
>
> I don't object to documenting on-path attackers but it still seems
> awfully hypothetical.
>
> > The new material still doesn't explain why introducing a new mechanism
> (intermediaries) should be part of a Best Current Practice RFC.
>
> I agree with that bit.
>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status