CAA validation-methods invalid format


#1

Hi,

LetsEncrypt just announced staging support for CAA validation methods here:

I tried to test this out by setting my CAA to issue "letsencrypt.org\; validation-methods=dns-01" but Route53 threw a validation error. I thought they were parsing the record incorrectly but after posting on the AWS forums it turns out that they are correct, as the CAA standard only allows alphanumeric characters in the parameter names, so the hyphen in “validation-methods” goes against the spec.

Not sure this is the right place to post this (seems like more of a spec issue than a LetsEncrypt issue), but thought I’d raise it here and it might reach the right people


#2

Hi @arkadiyt

Well, unfortunately the situation is a bit awkward. The ACME-CAA draft specifies this parameter with the dash. The CAA RFC (RFC 6844) has contradictory requirements (in addition to other, more significant errata).

RFC 6844 BIS will address the inconsistency by updating the allowed characters in the CAA record.

There’s not a clear right answer here but my own view is that RFC 6844 BIS is the future and we should do our best to plan for that instead of over-fitting the legacy. We need RFC 6844 BIS to address other RFC 6844 errata and since it will allow the - character there isn’t much value in amending the ACME-CAA draft to remove the hyphen or adjusting our implementation. We would be stuck supporting both the workaround validationmethods for CAA 6844 and the validation-methods for CAA 6844 BIS.

I’m sympathetic to Amazon’s decision to strictly enforce the RFC 6844 character set. There’s perhaps an argument to be made that 6844 leaves the door open for the issuer (Let’s Encrypt) to define things as they please: “The semantics of issuer-parameters are determined by the issuer alone” (end of Section 5.2) but that’s pretty obnoxious RFC laywering :slight_smile: You might be stuck having to choose a different DNS provider in the short term if you’re interested in testing this feature, it will be some time before CAA 6844 BIS is the law of the land and likely to sway Amazon’s developers.

edit: Most of this reply is no longer accurate. See my updated comment below RE: ACME-CAA draft-05.

Hope that helps!


#3

Thanks for the reply @cpu - makes sense. I’m feeling like a bit of a pinball at this point but I’ll reply back on the AWS thread requesting they update their validation


#4

Life on the bleeding edge :slight_smile: ACME-CAA is very new! As far as I know this may be the first concrete implementation.


#5

Hi again @arkadiyt,

Good news. The standards community decided that changing the ACME-CAA draft to remove the illegal dash character was the best way to resolve this.

A new version of the draft, draft-05 was published to change to validationmethods and accounturi instead of validation-methods and account-uri. The Let’s Encrypt implementation was updated to use the dash-less parameter names today.

You should be able to create your Route53 records without error now.

Thanks for your patience!


#6

Matt Nordhoff also updated the AWS forums thread - thank you both!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.