Hi folks, I’m contemplating providing a service that automatically provisions CNAME redirection for DNS challenges (so as a one-time manual step you point your domain’s _acme-challenge.yourdomain.com CNAME at an automatically provided entry on the hosted services DNS). A single DNS plugin would then be able to update the validation TXT record values as required. The service would have a free tier (perhaps 10 domains or so) and fairly low cost paid tier, with redundancy/scaling etc.
Do this sound of interest? Not sure if I’ve explained it clearly enough, still figuring it out
At first glance I thought there may be some inherent security risk…
But upon more thought, I can’t find one.
So, it makes sense (to me); The clients still have to be able to update their DNS zone and the CNAME redirection risk exposure is limited only to the “_acme-challenge.DOMAIN”.
I guess a logical abuse preventive block would be for browsers to block any certs issued to “_acme-challenge.*” and “*._acme-challenge.*” [if a cert can even be issued to such a name - probably NOT]
@rg305 thanks yes, I’d be very keen to identify any flaw in the idea up front as it’s obviously going to require a reasonable amount of effort/resources to implement properly. A proof of concept/prototype is one thing but it needs to be done properly to be reliable/scalable. The benefit to me is having a single API that multiple clients could easily support. I did toy with the idea of hosting a DNS api proxy (single API that can talk to multiple DNS providers) but that requires posting your actual DNS API credentials to the service which is not ideal.
I agree, this CNAME idea is much better and should not require too much to deploy (at least up front for the free limited service). Feel free to reach out if you hit any walls relating to DNS.
@simbalion Oops, sorry. No offence intended.The reason it would have a paid tier would be that I can’t see how to host it entirely for free, but you may have other solutions.
So the reason I posted in the first place was the topic of DNS plugin dependencies, as there are an unlimited number of DNS services (and custom/private DNS solutions) so you either end up scripting your own or going for manual DNS.
A common problem is that Manual DNS is annoying to for renewals, especially wildcards and covering www vs non-www etc.
Anyone can use a system such as cloudflare DNS etc to setup a zone just for their ACME validation TXT records (in fact this is ideal because once the CNAME is setup to point to the TXT record, you don’t have to mess with your real zone any more). This idea just automates that to make life a little easier. For some people that has real value and for others it really doesn’t (so they probably wouldn’t use it, or maybe they enjoy using the DNS control panel website a lot).
There is already a simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges, its name is acme-dns and it also provides a free service but the recommended way is to install this tool on your own server so you can control all the process.
I say in the event PLAN A fails, this type of service would be an ideal PLAN B.
Especially if it can be automated and free for users with few domains.
That's great for folks like you and me - but the average person may not be so technically capable.
I think there is overall value/benefit to this idea.
But it has to be extremely simple and automated for it to be useful.
The idea is only to address the most common roadblocks the average users faces (with certain DNS services).
Thanks @sahsanu I’ve look at that software before however I wasn’t aware that they offered a hosted service for that, I thought it was just the code to run your own. As a bit of background my area of interest is LE support on Windows (yeah, boo-hiss), so often the process of getting such services going can be a little trickier there as most tools are designed for UNIX like environments (e.g. certbot).
It takes all types, but there are a subset of people (me) who like to take the easiest route available, unless they really have to do it the hard way (I can code in assembly language, but I don’t do it often).
Tools ± services make things easier so you don’t have to think (or understand) as much. That has good and bad points but in general everyone likes things that are easy to do, and ideally these are also things they don’t have to do often.
Sometimes if you build something that saves people time and effort, a tiny percentage of them will be willing to pay you if you ask (so you can spend more of your life making the next version). If you can also provide a reasonable service to the people who want/need it to be free then that’s great for everyone. LE costs millions per year to run, and I’ve donated.
This redirection service would hopefully cost me a few hundred (or more likely a few thousand) dollars per year to operate globally, but I think it could be really useful. For those who did pay (because they want to or they have many domains) it would be a few dollars per year.
Obviously, there is minimally one: you're giving full control over your certificate issuing possibility (authentication) to an semi-unknown entity (no offence @webprofusion).
Indeed. It’s a valid point, my company is only tiny (although I do have more than 1k customers currently and manage various free/paid services to ~1m users per year). It’s true though that everyone who uses LE is currently relying on a small organisation.
I would expect that if the service worked well enough it would be copied/improved upon, possibly by larger organisations (or LE themselves).
If there is one I don't see it...
You must first enter a CNAME for your specific FQDN as an _acme-challenge (sub-domain).
All original FQDNs remain pointing to your IPs.
Anything saved at that new _acme-challenge location can well be public information - nothing of any secrecy ever leaves your server, nor your ACME client [not to LE and certainly not to the new DNS zone (albeit somewhat less trusted)].
So, if you see anything I missed, please share it with us all.
Unless I'm missing something, it'd be the same concern as using someone else's acme-dns instance: they control the DNS host and have access to the authentication credentials. If they know (or can find out) what points to (say) 44255c4e-d669-41f3-a141-672a8bd859e6.acme.example.com, they can issue a cert for that domain without the domain owner's consent (or, perhaps, knowledge).
This is true. But the same argument could be made for any standard web hosting provider as well. Once you point your DNS records to another entity you don't own, they have the power to validate challenges for that record/name. It's what enables them to have one-click LE cert control panel options. It just might be considered a bit more risky with the DNS CNAME because you can generate a wildcard cert with it.
