4

To my understanding, LetsEncrypt DNS verification works by setting a static TXT record into DNS (basically just a nonce) which is then checked by the LetsEncrypt servers.

When I first heard about it I was pretty excited and expected something more sophisticated: A public key is stored in DNS of my domains. Then, for verification, I create a signed message and the LetsEncrypt server checks is the signature is valid. Since public key in DNS and private key I own, this establishes proof that I control the domain.

Finding out that it does not work this way was a bit disappointing: It requires manual interactions and even for renewal a new TXT record.

Is there a technical reason that no signature approach is used? If no, what is the reason why LetsEncrypt does not implement it?

divB
  • 538
  • 1
  • 6
  • 22

1 Answers1

4

I believe that what you think happens is not what really happens. Let's Encrypt follows the current version of the IETF ACME Working Group's draft of the ACME protocol. In that draft, in section 8.5 it calls for the use of both a random string (provided in the challenge) and the account key as the first step in creating the TXT record's value.

A client responds to this challenge by constructing a key authorization from the “token” value provided in the challenge and the client’s account key. The client then computes the SHA-256 digest [FIPS180-4] of the key authorization.

Possession of the account key and control of the DNS should be sufficient to prove both control over the domain, and connection to the account requesting the certificate. The public key associated with the account is not exposed in the DNS and is held by LE, while the private key should be kept securely on the server itself, as should any other private key.

So, your final questions, Is there a technical reason that no signature approach is used? If no, what is the reason why LetsEncrypt does not implement it? seem to have missed the point. A signature is used.

  • Ok, seems I got it partially wrong. However, indenpendently if there's a signature used underneath, it seems that a token needs to be inserted MANUALLY and that even for a renew (https://community.letsencrypt.org/t/how-to-use-dns-01-challenge/28593/2). I just don't understand why I can't place a key in TXT record and tell certbot ONLY the domainname and the other part of the key (with which a challenge is signed). This would establish ownership fully and does not require these last-century manual DNS entries. – divB Jun 04 '17 at 09:05
  • 1
    You _can_ do it MANUALLY, but you're not supposed to. One key point behind Let's Encrypt is automation. The ACME client does all the work. As for the token is received as part of the challenge. You don't know ahead of time what the challenge is. The new challenge, with a new token, at renew, proves that you haven't somehow lost control of the domain, which is possible for many reasons. If the old token was reused, or it wasn't random anyway, you could set the DNS record, and not remove it. Later, if I got the domain, you could keep using that old record to "prove" you controlled it, not me. –  Jun 04 '17 at 09:20