I’ve been working on setting up DNS-01 validation for my domains, and in the course of dealing with the attendant complexity and difficulties compared to the traditional validation methods have found myself wondering why a simpler scheme wouldn’t suffice.
My understanding is that the two benefits the DNS-01 challenge provides over HTTP-01/TLS-ALPN-01 are that it allows issuing wildcard certificates and certificates for hosts that aren’t exposed to the public internet, and the reason that wildcard certificates for *.example.com
can’t be issued after a successful HTTP-01/TLS-ALPN-01 challenge for example.com
is that network delegation of a single subdomain through A/AAAA/CNAME records does not necessarily imply the intent to delegate control over the entire DNS tree rooted there.
I think that there’s a simpler way to achieve these same guarantees without running the entire ACME challenge machinery over DNS. As an illustrative example, here’s my understanding of the flow of a DNS-01 validation for a private domain when using a server like acme-dns to keep _acme-challenge
records separate from your general DNS keys (a best practice in general, but especially relevant here because of the delegation involved):
- the client initiates a DNS-01 validation for
8af994ff.private.example.net.
; - the CA queries its DNS resolver for the records for
_acme-challenge.8af994ff.private.example.net.
and gets the CNAME response7986e5ea-784a-452e-8bfe-14a51d23b0e8.acme-dns.example.net.
; - the CA queries its DNS resolver for the authoritative nameserver for
7986e5ea-784a-452e-8bfe-14a51d23b0e8.acme-dns.example.net.
and getsacme-dns.example.net.
; - the CA queries
acme-dns.example.net.
for the TXT records for7986e5ea-784a-452e-8bfe-14a51d23b0e8.acme-dns.example.net.
and verifies the challenge.
My proposal is to add support for a CNAME record _acme-delegate
that acts the same way a CNAME/NS record for _acme-challenge
does, but for the existing HTTP-01/TLS-ALPN-01 challenges. You would add a record like:
_acme-delegate.8af994ff.private.example.net. CNAME acme-challenge.example.net.
with the meaning "ACME challenges for 8af994ff.private.example.net.
should instead be directed to acme-challenge.example.net.
". An example validation flow using this would be:
- the client initiates a TLS-ALPN-01 validation for
8af994ff.private.example.net.
, requesting use of DNS delegation; - the CA queries its DNS resolver for the the records for
_acme-delegate.8af994ff.private.example.net.
and gets the CNAME responseacme-challenge.example.net.
; - the CA connects to
acme-challenge.example.net.
and runs a normal TLS-ALPN-01 challenge for the domain8af994ff.private.example.net.
.
As far as I can tell, the two flows here are basically equivalent; this should have all the same guarantees with regards to zone authority that the existing DNS-01 challenge machinery does, but only require one-time DNS setup rather than dynamic TXT record adjustments for every renewal. The use of a specialized validation protocol like TLS-ALPN-01 avoids the need for complex DNS API integration with concerns about overpowered keys, TTLs, propagation, and so on, and allows for the elimination of the verbose UUID subdomains acme-dns relies on.
A wildcard certificate would correspond to _acme-delegate.*.example.com.
; to make this valid we can map it to _acme-delegate-wild.example.com.
instead, so that the simple case where you want example.com
to be able to issue certificates for *.example.com
could be expressed as:
_acme-delegate-wild.example.com. CNAME example.com.
Alternatively, the presence of an _acme-delegate
record could be treated as delegating permission to issue a wildcard certificate, the same way DNS-01 _acme-challenge
records currently work; this shouldn’t reduce expressivity, as you could still forbid wildcard issuance with CAA records, but it feels a little less orthogonal to me.
There are, of course, lots of bikesheddy debates to be had (should these be SRV records rather than CNAMEs? should _acme-delegate-wild
imply _acme-delegate
?), but it seems to me like this would allow for the issuance of private and wildcard certificates in a way that requires fewer moving parts than the existing DNS challenge machinery and integrates better with clients. It would also address one of the listed downsides of HTTP-01/TLS-ALPN-01 challenges – “If you have multiple web servers, you have to make sure the file is available on all of them.” – by allowing domains to opt in to delegating challenges elsewhere.
My feeling is all that this is too simple to not already have been thought of, so please feel free to explain to me why this obviously wouldn’t work!