boulder icon indicating copy to clipboard operation
boulder copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

feat: add ACME "dns-account-01" challenge

Open sheurich opened this issue 11 months ago • 1 comments

Description:

This pull request addresses https://github.com/letsencrypt/boulder/issues/7240 by integrating the "dns-account-01" challenge into Boulder. This challenge introduces a novel method for domain control validation within the ACME protocol.

Background:

The "dns-account-01" challenge, in its current Internet Draft form, introduces an additional approach for domain control validation. It uses a DNS resource linked to the ACME Account Resource URL and the authorization scope, offering enhanced flexibility and security in domain validation processes.

Changes:

  • In va/dns.go, the getDNSAccountChallengeSubdomain function has been introduced to compute the DNS subdomain for DNSAccount01 challenges based on the account's resource URL and scope.
  • The validateTXT function has been added to query TXT records associated with a challenge subdomain and validate the authorization keys.
  • The existing validateDNS01 function continues to validate DNS01 challenges but now leverages validateTXT for validation.
  • The new validateDNSAccount01 function constructs the challenge subdomain using getDNSAccountChallengeSubdomain and validates the authorization keys for DNSAccount01 challenges.
  • va/va_test.go has been updated to test the validation of malformed challenges with the new scope parameter.
  • Integration test TestDNSAccountChallenge has been added to validate the end-to-end functionality of DNSAccount01 challenges.

Vendor Dependency Updates:

  • Updated github.com/eggsampler/acme/v3 to version v3.5.0.

These changes enhance the security and flexibility of Boulder's validation process for DNS-based challenges, particularly with the introduction of support for the DNSAccount01 challenge type, thereby improving the overall robustness of the system.

sheurich avatar Mar 16 '24 20:03 sheurich

Hey friends, I think the bulk of the work here is complete for the moment. I am beginning a thru-hike of the Appalachian Trail and will not be available to work on this for the time being. If there are any adjustments needed due to spec changes, bugs or nits, someone else will need to make those changes before merging. Best, Shiloh

sheurich avatar Apr 03 '24 01:04 sheurich