Subdomains with dns-persist-01 (staging)

Client dev
1

Apologies if this has already been discussed and I've forgotten!

Based on the most recent blog article on the topic I think subdomains should match wildcard policy:

With the current LE staging implementation this isn't the case (in my tests) and wondered what the expectation is there?

Given a TXT record
_validation-persist.example.com
with value :
letsencrypt.org; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/1234567;policy=wildcard

My expectation is that to validate for sub.example.com there is no requirement for a new _validation-persist.subexample.com TXT record if the wildcard policy already exists (and would match *.example.com).

Is my understanding correct?

2

For LE's implementation, you would need a _validation-persist.sub.example.com

You could do it by instructing your server to serve the apex _validation-persist record when queried for _validation-persist.*.example.com (which would require a DNS server able to synthesize records based on wildcards or script).

The problem is that the validation record could exist anywhere (like _validation-persist.customer.example.com) and then someone tries to validate lets say user321.customer.example.com and Lets encrypt has no way to know where the record is placed.

Thats why the wildcard policy currently only LITERALLY allows *.example.com and nothing more.

The cab rules however permit the CA to use a policy=wildcard record to issue also for subdomains - if a new way to tell the ACME server where to look for the record appears.

3

The following optional features are deliberately not implemented:
[...]

  • Subdomain validation via policy=wildcard (sections 5 and 6): as implemented, the policy tag gates wildcard certificate issuance but does not enable TXT records further up the domain hierarchy to satisfy subdomain authorizations. The draft has no mechanism for the subscriber to indicate which Authorization Domain Name (ADN) they want to validate at, so the server would have to walk up the domain tree. We've proposed that clients include an ADN field in their challenge POST payload to solve this. We'll wait to see if the draft adopts some form of ADN negotiation before implementing this functionality.
4

Thanks folks, I know my users would dearly appreciate the option to just provide one TXT record so we'll see how it goes.

5

Same! I am hoping for this easy outcome too.

7

Yes, Aaron Gable of LE has said they have no plans to do tree climbing for these persist validations. (sry, don't have the post url handy)

They are also looking to advance setting the ADN in the ACME Client for the request. See: Subdomain validation prompting · Issue #33 · ietf-wg-acme/draft-ietf-acme-dns-persist · GitHub

This is all still evolving.

8

I believe it is this one Will Let's encrypt support tree climbing for dns-persist-01 records? - #6 by aarongable

9

No. It's an optional feature ("may"), and it is simply not implemented - see commit message.

  1. Subdomain Certificate Validation
    When the policy=wildcard parameter is present (as described in Section 5), CAs MAY issue certificates for subdomains of the validated FQDN.