DNS-Persist-01: A New Model for DNS-Based Challenge Validation

Posted by todsacerdoti 8 hours ago

DNS-Persist-01: A New Model for DNS-Based Challenge Validation(letsencrypt.org)

180 points | 90 commentspage 3

infogulch 4 hours ago|

This is a nice increment in ACME usability.

Once again I would like to ask CA/B to permit name constrained, short lifespan, automatically issued intermediate CAs. Last year's request: https://news.ycombinator.com/item?id=43563676

CqtGLRGcukpy 6 hours ago||

"Support for the draft specification is available now in Pebble, a miniature version of Boulder, our production CA software. Work is also in progress on a lego-cli client implementation to make it easier for subscribers to experiment with and adopt. Staging rollout is planned for late Q1 2026, with a production rollout targeted for some time in Q2 2026."

aaomidi 6 hours ago||

This is significantly better than my draft of DNS-ACCOUNT-01. Thank you Let's Encrypt team!

kittbuilds 4 hours ago||

[dead]

cyberax 7 hours ago|

Ah, the next step towards True DANE!

We then can just staple the Persist DNS key to the certificate itself.

And then we just need to cut out the middleman and add a new IETF standard for browsers to directly validate the certificates, as long as they confirm the DNS response using DNSSEC.

tptacek 7 hours ago|

This decreases the salience of DANE/DNSSEC by taking DNS queries off the per-issuance critical path. Attackers targeting multitenant platforms get only a small number of bites at the apple in this model.

NoahZuniga 6 hours ago|||

DNS queries are still part of the critical path, as let's encrypt needs to check that the username is still allowed to receive a cert before each issuance.

cyberax 7 hours ago|||

Sure. It's yet another advantage of doing True DANE. But it still requires DNS to be reliable for the certificate issuance to work, there's no way around it.

So why not cut out the middleman?

(And the answer right now is "legacy compatibility")

tptacek 7 hours ago||

I mean, the reason not to do DANE is that nobody will DNSSEC-sign, because DNSSEC signing is dangerous.

cyberax 5 hours ago||

Come on. It's not dangerous, it's just inconvenient and clumsy. So nobody is really using it.

akerl_ 5 hours ago||

Ok, it's inconvenient and clumsy in ways that make it easy to shoot oneself in the foot. But that's not dangerous?

cyberax 4 hours ago||

When you shoot yourself in the foot with DNSSEC, you typically end up with a non-working setup.

The biggest problem is that DNS replies are often cached, so fixes for the mistakes can take a while to propagate. With Let's Encrypt you typically can fix stuff right away if something fails.

tptacek 4 hours ago||

When you shoot yourself in the foot with DNSSEC, your entire domain falls of the Internet, as if it had never existed in the first place. It's basically the worst possible case failure and it's happened to multiple large shops; Slack being the most notorious recent example.

cyberax 3 hours ago||

Yes, and it'd be great if DNSSEC added an "advisory" signature level. So it can be deployed without doing a leap of faith.

But let's not pretend that WebPKI is perfect. More than one large service failed at some point because of a forgotten TLS certificate renewal. And more than one service was pwned because a signing key leaked. Or a wildcard certificate turned out to be more wildcard than expected.

I understand the failures of DNSSEC and DNS in general. And we need to do something about it because it's really showing signs of its age as we continue to pile on functionality onto it.

I don't have an idea for a good solution for everything, but I just can't imagine us piling EVERYTHING onto WebPKI either.

akerl_ 2 hours ago|||

> But let's not pretend that WebPKI is perfect.

You're commenting on a post about LetsEncrypt working with other entities in the industry to make improvements to WebPKI. It's safe to say that nobody's claiming it's perfect.

But you can't go from ~"WebPKI isn't perfect" and ~"DNSSEC/DANE exist" and draw a magic path where using DNSSEC or DANE is actually a good thing for people to roll out. They'd need to be actually a good fit, and for DANE we have direct evidence that it isn't: a rollout was attempted and it was walked back due to multiple issues.

tptacek 2 hours ago|||

I don't really understand most of this comment but you opened up this subthread with "Come on. It's not dangerous", and, as you're acknowledging here, it clearly is quite dangerous.

cyberax 15 minutes ago||

DNSSEC is not dangerous. Pretty much the worst thing is breakage, not an accidental compromise.

It's also more secure, compared to ACME. An on-path attacker can impersonate the site operator and get credentials. DNSSEC is immune to that.

tptacek 10 minutes ago||

This is a very strange definition of "dangerous".