Hi all, I would like to raise a potential operational/security consideration around DNS-ACCOUNT-01.
Prior to DNS-ACCOUNT-01, ACME DNS-based validation methods (e.g., DNS-01, DNS-PERSIST-01) relied on well-known, predictable labels such as _acme-challenge.<domain>. This enabled domain owners or third parties to monitor those names for unexpected TXT records as a weak signal of ongoing or potentially unauthorized validation activity. With DNS-ACCOUNT-01, the validation name incorporates an account-derived label. As a result, the effective validation namespace becomes unpredictable to observers who do not already know the ACME account URI. This appears to remove the feasibility of DNS-based monitoring approaches that rely on polling a fixed namespace. In effect, DNS-ACCOUNT-01 replaces a shared, predictable monitoring surface with per-account isolation. A few questions for the WG: - Is this reduction in a predictable DNS monitoring surface an intentional trade-off of DNS-ACCOUNT-01? - Has the WG considered whether this changes the detectability of unauthorized validation activity in environments where DNSSEC is not deployed (e.g., where DNS responses may be forged/modified on-path)? - Would it be useful to document this explicitly in the Security Considerations section, so operators are aware that DNS-based monitoring techniques targeting _acme-challenge no longer generalize? To be clear, I understand that Certificate Transparency is the primary mechanism for detecting misissuance. This question is specifically about whether DNS-ACCOUNT-01 removes a secondary (albeit weaker) monitoring signal that some operators may currently rely on. Thanks, Youfu Zhang _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
