Internet-Draft ACME-SCOPED-DNS-CHALLENGES August 2024
Chariton, et al. Expires 20 February 2025 [Page]
Workgroup:
Automated Certificate Management Environment
Internet-Draft:
draft-ietf-acme-scoped-dns-challenges-01
Published:
Intended Status:
Standards Track
Expires:
Authors:
A. A. Chariton
Independent Contributor
A. A. Omidi
Spirl
J. Kasten
Google
F. Loukos
Google
S. A. Janikowski
Google

Automated Certificate Management Environment (ACME) Scoped DNS Challenges

Abstract

This document outlines a new challenge for the ACME protocol, enabling an ACME client to answer a domain control validation challenge from an ACME server using a DNS resource linked to the ACME Account ID. This allows multiple systems or environments to handle challenge-solving for a single domain.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://aaomidi.github.io/draft-ietf-acme-scoped-dns-challenges. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-acme-scoped-dns-challenges/.

Discussion of this document takes place on the WG Working Group mailing list (mailto:acme@ietf.org), which is archived at https://datatracker.ietf.org/wg/acme/about/. Subscribe at https://www.ietf.org/mailman/listinfo/acme/.

Source for this draft and an issue tracker can be found at https://github.com/aaomidi/draft-ietf-acme-scoped-dns-challenges.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 20 February 2025.

Table of Contents

1. Introduction

The dns-01 challenge specified in section 8.4 of [RFC8555] requires that ACME clients validate the domain under the _acme-challenge label for the TXT record. This label creates several limitations in domain validation.

First, the _acme-challenge label does not specify if the authorization is intended for a specific host, a wildcard domain, or a domain and all of its subdomains. Consequently, domain owners who may be delegating or provisioning authorization labels for a domain must concede control over the domain and all subdomains, violating the principle of least privilege.

Furthermore, since each domain only has a single authorization label, it creates an impediment limiting the number of other entities domain validation can be delegated to. Delegating authorization to an entity requires the use of CNAME records, which can only used once per DNS name (or in this case, once per authorization label). This limitation requires operators to pick a single ACME challenge solver for their domain name.

In multi-region deployments, where separate availability zones serve the same content, and dependencies across them are avoided, operators need a way to obtain a separate certificate per zone, for the same domain name. Similarly, in cases of zero-downtime migration, two different setups of the infrastructure may coexist for a long period of time, and both need access to valid certificates.

This document specifies two new challenge types. dns-02 and dns-account-01, which aim to address these deficiencies.

This work follows all recommendations set forth in "Domain Control Validation using DNS" [I-D.draft-ietf-dnsop-domain-verification-techniques].

This RFC does not intend to deprecate the dns-01 challenge specified in [RFC8555]. Since these new challenges do not modify any pre-existing challenges, the ability to complete the dns-02 or dns-account-01 challenge requires ACME server operators to deploy new changes to their codebase. This makes adopting and using these challenges an opt-in process.

1.1. DNS-02

The dns-02 challenge adds onto dns-01 by introducing a scoping mechanism to the domain authorization label. This allows for the client to specify if the intended domain validation is for a specific host, a wildcard domain, or a domain and all of its subdomains.

1.2. DNS-ACCOUNT-01

The dns-account-01 challenge leverages the ACME account URL to present an account-unique stable challenge to an ACME server. This challenge allows any domain name to delegate its domain validation to more than one service through unique per ACME account DNS records.

With this new challenge, domain validation of the same DNS name can be done through different authorization labels. Since these authorization labels will depend on the ACME account KID ([RFC8555], Section 6.2), any number of them can be generated in advance. This allows all required CNAME records for domain validation delegation to be constructed statically.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. DNS-02 Challenge

When the identifier being validated is a domain name, the client can prove control of that domain by provisioning a TXT resource record containing a designated value for a specific validation domain name.

{
    "type": "dns-02",
    "url": "https://example.com/acme/chall/i00MGYwLWIx",
    "status": "pending",
    "token": "ODE4OWY4NTktYjhmYS00YmY1LTk5MDgtZTFjYTZmNjZlYTUx"
}

A client can fulfill this challenge by performing the following steps:

On receiving a response, the server constructs and stores the key authorization from the challenge token value.

To validate the dns-02 challenge, the server performs the following steps:

If all the above verifications succeed, then the validation is successful. If no DNS record is found, or DNS record and response payload do not pass these checks, then the server MUST fail the validation and mark the challenge as invalid.

The client SHOULD de-provision the resource record(s) provisioned for this challenge once the challenge is complete, i.e., once the "status" field of the challenge has the value "valid" or "invalid".

3.1. Errors

The server SHOULD follow the guidelines set in [RFC8555], Section 6.7 for error conditions that occur during challenge validation.

4. DNS-ACCOUNT-01 Challenge

When the identifier being validated is a domain name, the client can prove control of that domain by provisioning a TXT resource record containing a designated value for a specific validation domain name.

{
    "type": "dns-account-01",
    "url": "https://example.com/acme/chall/i00MGYwLWIx",
    "status": "pending",
    "token": "ODE4OWY4NTktYjhmYS00YmY1LTk5MDgtZTFjYTZmNjZlYTUx"
}

A client can fulfill this challenge by performing the following steps:

On receiving this response, the server validates the message and constructs and stores the key authorization from the challenge token value and the current client account key.

To validate the dns-account-01 challenge, the server performs the following steps:

If all the above verifications succeed, then the validation is successful. If no DNS record is found, or DNS record and response payload do not pass these checks, then the server MUST fail the validation and mark the challenge as invalid.

The client SHOULD de-provision the resource record(s) provisioned for this challenge once the challenge is complete, i.e., once the "status" field of the challenge has the value "valid" or "invalid".

4.1. Errors

The server SHOULD follow the guidelines set in [RFC8555], Section 6.7 for error conditions that occur during challenge validation.

If the server is unable to find a TXT record for the validation domain name, it SHOULD include the account URL it used to construct the validation domain name in the problem document. Clients MUST NOT use or rely on the presence of this field to construct the validation domain name.

4.2. Implementation Considerations

As this challenge creates strong dependency on the kid account identifier, the server SHOULD ensure that the account identifier is not changed during the lifetime of the account. This contains the entire URI, including the ACME endpoint domain name, port, and full HTTP path.

5. Security Considerations

These challenges follow the recommendations set out in "Domain Control Validation using DNS" [I-D.draft-ietf-dnsop-domain-verification-techniques] for supporting multiple intermediates within the context of [RFC8555].

In both dns-account-01 and dns-02, the same security considerations apply for the integrity of authorizations ([RFC8555], Section 10.2) and DNS security ([RFC8555], Section 11.2) as in the original specification for dns-01. They both differ from dns-01 in that the challenges are scoped to the particular name being validated without relying upon CAA ([RFC8659]).

5.1. DNS-ACCOUNT-01

To allow for seamless account key rollover without the label changing, the dynamic part of the label depends on the ACME account and not the account key. This allows for long-lived labels, without the security considerations of keeping the account key static.

In terms of the construction of the account label prepended to the domain name, there is no need for a cryptographic hash. The goal is to simply create a long-lived and statistically distinct label of minimal size. SHA-256 was chosen due to its existing use in the dns-01 challenge ([RFC8555], Section 8.1).

The first 10 bytes were picked as a tradeoff: the value needs to be short enough to stay lower than the size limits for DNS ([RFC1035], Section 2.3.4), long enough to provide sufficient probability of collision avoidance across ACME accounts, and just the right size to have Base32 require no padding. As the algorithm is used for a uniform distribution of inputs, and not for integrity, we do not consider the trimming a security issue.

6. IANA Considerations

6.1. ACME Validation Method

The "ACME Validation Methods" registry is to be updated to include the following entries:

label: dns-02
identifier-type: dns
ACME: Y
Reference: This document

label: dns-account-01
identifier-type: dns
ACME: Y
Reference: This document

7. References

7.1. Normative References

[FIPS180-4]
National Institute of Standards and Technology, "Secure Hash Standard (SHS)", , <https://csrc.nist.gov/publications/detail/fips/180/4/final>.
[RFC1035]
Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, , <https://www.rfc-editor.org/rfc/rfc1035>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC4086]
Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, , <https://www.rfc-editor.org/rfc/rfc4086>.
[RFC4648]
Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, , <https://www.rfc-editor.org/rfc/rfc4648>.
[RFC6234]
Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, , <https://www.rfc-editor.org/rfc/rfc6234>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8555]
Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. Kasten, "Automatic Certificate Management Environment (ACME)", RFC 8555, DOI 10.17487/RFC8555, , <https://www.rfc-editor.org/rfc/rfc8555>.
[RFC8659]
Hallam-Baker, P., Stradling, R., and J. Hoffman-Andrews, "DNS Certification Authority Authorization (CAA) Resource Record", RFC 8659, DOI 10.17487/RFC8659, , <https://www.rfc-editor.org/rfc/rfc8659>.

7.2. Informative References

[I-D.draft-ietf-dnsop-domain-verification-techniques]
Sahib, S. K., Huque, S., Wouters, P., and E. Nygren, "Domain Control Validation using DNS", Work in Progress, Internet-Draft, draft-ietf-dnsop-domain-verification-techniques-05, , <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-05>.
[RFC9444]
Friel, O., Barnes, R., Hollebeek, T., and M. Richardson, "Automated Certificate Management Environment (ACME) for Subdomains", RFC 9444, DOI 10.17487/RFC9444, , <https://www.rfc-editor.org/rfc/rfc9444>.

Acknowledgments

Authors' Addresses

Antonios A. Chariton
Independent Contributor
Amir A. Omidi
Spirl
James Kasten
Google
Fotis Loukos
Google
Stanislaw A. Janikowski
Google