Chain of trust goes like this: CAA (DNSSEC) mandates cert can't be issued except by LE over DANE (DNSSEC) authenticated HTTPS.
Conversation
Replying to
Care to write a draft that specifies a new CAA record field? I'd be willing to support this. Makes sense.
1
1
Replying to
Would it be a new field or just a new validationmethods constraint in the sense of tools.ietf.org/html/draft-iet?
3
By the way, it appears you can register an account (certbot register) and then pin the account id to have ECDSA-based authentication via ACME. The accounturi and validationmethods features are only used for the staging service though. I've tested that validationmethods works.
1
1
I've now tested that accounturi works too (valid and invalid).
This provides a way to properly verify via HTTP authentication using the root of trust since the communication between the ACME client and server is authenticated for the accounturi.
The issue is it's staging only.
1
1
Staging only = some experimental thing LE hasn't really rolled out yet?
1
If this works in production, I think it's a viable trusted path for cert issuance, but much more roundabout and painful to setup than just enforcing DANE on ACME over HTTPS.
1
They have a staging server for dry run certificate issuance tests and it's deployed there. For certbot, you use it with `certbot renew --dry-run`. That's how I was testing this. You can make multiple CAA issue records to allow both the staging and production accounts too.
2
But do you mean enforcement of these CAA constraints isn't supported yet on the real LE cert issuance servers? Or just that you only tested on staging?
1
It's not supported on the real production issuance server making trusted certificates yet. The fact that it's deployed on the staging server used for dry run issuance makes it seem like it's close to being put into production though. I don't think they like to deviate much there.
1
1
I regularly use dry run issuance to test that it works such as after moving something to a new VPS / dedicated server so it's nice that you can add multiple records with different account URIs. It's another thing to deal with since it doesn't simply use TLSA but it seems decent.
For example, it was quite painful getting ACME working for releases.grapheneos.org after switching to round-robin DNS for scaling it up because I was trying to do it via the certbot nginx plugin and I couldn't get it to work. I don't know what I'd do without their dry run server.