I'm excited about the upcoming DNS-PERSIST-01 validation method, however I see that there is a lack of ability to filter the IP address(es) allowed to request certificates.
This can be achieved with DNS-01 with DNS providers that offer the ability for IP filtering for their API credentials, such as Cloudflare.
The threat prevented by such filtering may be unlikely (acquiring the ACME account key and DNS spoofing the target(s)), but it would be nice to prevent nonetheless.
I was imagining either a LE-specific extension to DNS-PERSIST-01, or ideally a change upstream to DNS-PERSIST-01 if it's not too late, that would allow specifying either an IP address(es) in the TXT record (or a flag indicating renewal only from the previous renewal address).
Is either a possibility, if this is a worthwhile potential improvement?
there is active discussion about dns-persist-01 in ietf, draft-ietf-acme-dns-persist-01 - Automated Certificate Management Environment (ACME) Challenge for Persistent DNS TXT Record Validation so you may want to mail them there: while allowing more thing is hard, adding constrains that block issuance is easier to change later
1 Like
personal option about this would be kinda hard thing to do, because this will forbid CA from using CDN for web frontend. Reason is if validation need to test client's IP then they can't turst CDN to truthfully say where request is from. And semantic break if user used different IP for order creation and challenge trigger.
It has some value but for any org of a reasonable size they will often be running hundreds of servers, usually cloud based, often multi-cloud, and across a wide range of IPs. Even my small biz runs servers across 5 different cloud providers.
I accept that there are orgs who may have one or two IPs their requests will come from, but that seems quaint to me. I guess there's no harm adding it but if you need to specify multiple or a range it could get verbose quickly and I'm not sure where the upper limit should be.
4 Likes
Yeah, it seems like an odd threat model. If you're worried that some other system might have stolen your ACME account credentials, you're probably better served by regular key rotation and limiting the lifetime of your DNS-PERSIST-01 record with persistUntil, or just sticking with the existing DNS-01 method. And regardless of authentication method, keeping one's DNS system credentials safe and protecting against DNS spoofing with DNSSEC (and keeping one's DNSSEC keys and registrar credentials safe) is absolutely necessary to really keep full control over the domain.
I don't really mind if there was some IP parameter being checked too, either in a DNS-PERSIST-01 parameter or in some kind of CAA extension, I just doubt that it would help that many use cases and might just lull some people into a false sense of security.
5 Likes