It doesn't matter if lookups chase CNAMEs, because the answer has to include a cryptographically secure random number that was created especially for that particular validation and was not used in previous validations, in order to be compliant with the BRs.
Your arbitrary computable impure function is not going to successfully guess a secure random number. -Tim > -----Original Message----- > From: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] > Sent: Tuesday, January 23, 2018 1:48 PM > To: Tim Hollebeek <tim.holleb...@digicert.com> > Cc: acme@ietf.org; 'Jacob Hoffman-Andrews' <j...@eff.org>; Sebastian > Nielsen <sebast...@sebbe.eu> > Subject: Re: [Acme] Assisted-DNS challenge type [invalid signature!] > [invalid > signature!] > > On Tue, Jan 23, 2018 at 07:53:12PM +0000, Tim Hollebeek wrote: > > > > > Oh, and the method very similar to the propose one (involving static > > > CNAME as persistent authentication) is being used in the wild. And > > > due to fundamential nature of DNS, even static zone can result > > > variable results for names under the zone. > > > > By who? I don't think it's possible for such a method to be compliant > > with any of the current BR methods. If it is, we'll fix it. > > Amazon ACM DNS validation based on descriptions I have seen. > > And the reading that is complies with 10 methods is way less bizarre than > the > reading that ACME HTTP-01 complies. > > > And DNS specifications are darn clear that TXT lookups chase CNAMEs. > And CNAMEs are not the only authority transfer mechanism. And then there > are DNS servers that can run arbitrary computable impure(!) functions to > answer queries. Versus those you do not even have snowball's chance in hell. > > > -Ilari
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
