DNS-Persist-01：DNSベースのドメイン検証に新風？次世代の認証モデルが登場

DNS-Persist-01は、DNSベースのチャレンジ検証（DNS-01）の仕組みを刷新するために提案された新しいモデルです。従来の検証プロセスの課題を解決し、より効率的で信頼性の高いドメイン所有権の確認を実現することを目指しています。

I think this is solving a real operational pain point, definitely one that I've experienced. My biggest hesitation here is the direct exposure of the managing account identity not that I need to protect the accounts key material, I already need to do that.

While "usernames" are not generally protected to the same degree as credentials, they do matter and act as an important gate to even know about before a real attack can commence. This also provides the ability to associate random found credentials back to the sites you can now issue certificates for if they're using the same account. This is free scope expansion for any breach that occurs.

I guarantee sites like Shodan will start indexing these IDs on all domains they look at to provide those reverse lookup services.

I'm surprised the ballot passed, unanimously even! I get that storing the DNS credentials in the certificate renewal pipeline is risky, but many DNS providers have granular API access controls, so it is already possible to limit the surface area in case the keys get leaked. Plus, you can revoke the keys easily.

The ACME account credentials are also accessible by the same renewal pipelines that has the DNS API credentials, so this does not provide any new isolation.

It's also not quite clear how to revoke this challenge, and how domain expiration deal with this. The DNS record contents should have been at least the HMAC of the account key, the FQDN, and something that will invalidate if the domain is transferred somewhere else. The leaf DNSSEC key would have been perfect, but DNSSEC key rotation is also quite broken, so it wouldn't play nice.

Is there a way to limit the challenge types with CAA records? You can limit it by an account number, and I believe that is the most tight control you have so far.

Edit: thanks to the replies to this comment, I learned that this would provide invalidation simply by removing the DNS record, and that the DNS records are checked at renewal time with a much shorter validation TTL.

Really happy to see this.

In the meantime, if you use bind as your authoritative nameserver, you can limit an hmac-secret to one TXT record, so each webserver that uses rfc2136 for certificate renewals is only capable of updating its specific record:

  key "bob.acme." {
    algorithm hmac-sha512;
    secret "blahblahblah";
  };
  
  key "joe.acme." {
    algorithm hmac-sha512;
    secret "blahblahblah2";
  };

  zone "example.com" IN {
   type master;
   file "/var/lib/bind/example.com.zone";
   update-policy {
    grant bob.acme. name _acme-challenge.bob.acme.example.com. TXT;
    grant joe.acme. name _acme-challenge.joe.acme.example.com. TXT;
   };
   key-directory "/var/lib/bind/keys-acme.example.com";
   dnssec-policy "acme";
   inline-signing yes;
  };

I like this because it means an attacker who compromises "bob" can only get certs for "bob". The server part looks like this:

  export LE_CONFIG_HOME="/etc/acme-sh/"
  export NSUPDATE_SERVER="${YOUR_NS_ADDR}"
  export NSUPDATE_KEY="/var/lib/bob-nsupdate.key"
  export NSUPDATE_KEY_NAME="bob.acme."
  export NSUPDATE_ZONE="acme.example.com."

  acme.sh --issue --server letsencrypt -d 'bob.example.com' \
        --certificate-profile shortlived \
        --days 6 \
        --dns dns_nsupdate

I've changed my mind about the short lived cert stuff after seeing what is enabled by IP address certificates with the HTTP-01 verification method. I don't even bother writing the cert to disk anymore. There is a background thread that checks to see if the current instance of the cert is null or older than 24h. The cert selector on aspnetcore just looks at this reference and blocks until its not null.

Being able to distribute self-hostable software to users that can be deployed onto a VM and made operational literally within 5 minutes is a big selling point. Domain registration & DNS are a massive pain to deal with at the novice end of the spectrum. You can combine this with things like https://checkip.amazonaws.com (https://checkip.amazonaws.com) to build properly turnkey solutions.

Yeessss! This should finally make certificates for internal only web services actually easier to orchestrate than before ACME. This closes probably the biggest operational pain point I've had with letsencrypt/modern web certificates.

Thank you so much to all inolved!

There's a missing part here, and that's validating your ACME account ownership.

I think most users depend on automation that creates their accounts, so they never have to deal with it. But now, you need to propagate some credential to validate your account ownership to the ACME provider. I would have liked to see some conversation about that in this announcement.

I'm not familiar with Let's Encrypt's authentication model. If they don't have token creation that can be limited by target domain, but I expect you'll need to create separate accounts for each of your target domains, or else anything with that secret can create a cert for any domain your account controls.

After having to deal with VM hosts that do GeoIP blocking, which unintentionally blocks Let's Encrypt and others from properly verifying domains via http-01/tls-alpn-01, I settled on a DIY solution that uses CNAME redirects and a custom, minimal DNS server for handling the redirected dns-01 challenges. It's essentially a greatly simplified version of the acme-dns project tailored to my project's needs (and written in node.js instead of Go).

Unfortunately with dns-persist-01 including account information in the DNS record itself, that's a bit of a show stopper for me. If/when account information changes, that means DNS records need changing and getting clients to update their DNS records (for any reason) has long been a pain.

This is going to make it way easier to get publicly trusted certs for LAN servers that aren't internet facing.

I'm looking forward to every admin UI out there being able to generate a string you can just paste into a DNS record to instantly get a Let's Encrypt cert.

Am I just stupidly missing something or does this in theory allow anyone who controls a DNS server for my domain or anyone who controls traffic between LE and the DNS server for my domain to get a TLS certificate they can use to impersonate my domain?

I suppose the same is true for DNS-01 but this would make it even easier because the attacker can just put up their LE account instead of mine into the DNS response and get a certificate.

At this point why not just put my public cert into a DNS record and be done with it?

For folks who use certbot, here is where they are tracking work on support for this feature: https://github.com/certbot/certbot/issues/10549 (https://github.com/certbot/certbot/issues/10549)