Why does DNS-01 treat root domains and wildcards the same?


#1

Hello,

ever since I issued my first wildcard (March 13, the day they went live) I was suprised how DNS-01 handles verification. Challenging for the root domain and wildcard (*.example.com) need the same TXT hostname (_acme-challenge.domain.tld) which doesn’t seem right, specially considering how critical can a wildcard cert be.

  • If this is all about automation, why aren’t more DNS entries required?
  • Is a TXT entry on the root domain sufficient?
  • Are there any revisions planned for the DNS-01 challenge?

I believe the answers to these questions are more than justified, but I couldn’t stop thinking about this issues. Thanks for your time.


#2

#3

I was searching prior to creating this post but couldn’t find anything related to the issue. Thanks.


#4

I don’t see how more DNS entries improve security, could you elaborate?

As far as I know, no, as the ACME draft is close from it’s final form.

What you can do to improve security, is use DNS CAA to restrict (or completely forbid) wildcard certificates issuance:

If far as I remember, it’s planned to allow CAA to restrict issuance to a specific Let’s Encrypt account.


#5

This is available in staging now but enabling it in production is blocked on work at the IETF to resolve issues around parsing multiple CAA extensions:


#6

Hello @tdelmas, sorry for the late response (not much free time).

I didn’t explain myself good enough here. Rather than challenging with more DNS entries, the challenges for the wildcard and the root domain could be different. At least that is what I think. The impact of a certificate for a root domain is obviously not the same than for a wildcard.

That is true, but this is not about restricting wildcard, but probably making the wildcard slightly harder.


#7

Different in what way? Because they already are different values–you need two different TXT records, with two different values.


#8

I think they meant at a different host address, e.g. not using _acme-challenge at the root for both. However, I don’t see what would be any better. Controlling the root of the zone definitely implies full control over the domain, so it’s logical to use for both wildcards and also the base domain.


#9

Yes, as @jared.m mentioned, different host address.

From the Original Post:

This is true. Controlling the DNS zone proves control over a domain. Though, both hostnames being the same seems a bit odd, which is why I made the post in the first place.


#10

I can restrict access to single entries or delegate them to different entities via cname - principle of least privilege, especially with automated changes in dns for acme, where the credentials for this record are in cleartext on the server. You should never place credentials for full zone on your webserver.
Control of _acme-challenge.example.org does not mean, that control of full zone is possible.


#11

No, actually it’s fine… the _acme-challenge.domain.tld could be fine… a regular one could be normal and be encoded to allow only https://domain.tld or alternately encoded to allow 1level wildcards or alternately encoded to allow multilevel wildcards…

It is that if the code matches then it’s what is asked for is allowed so the response encoded in _acme-challenge.domain.tld needs only to have a properly encoded YES or NO to whatever multitude of things the request asked for. You could even be silly and have a one time request asking for https://domain.tld and later a second request later asking for https://*.domain.tld…

What you could also be asking is what if you wanted https://.domain.tld on one server and also https://.domain.tld on different server. Sure you could automate it internally maybe.

I could suggest *.domain.tld servers should have a “primary” host and the wildcard would be an alias.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.