wfe/ra/va/pa: Add support for draft-ietf-acme-dns-persist-00

Author: beautifulentropy

cmd/boulder-ra/main.go

@@ -11,6 +11,7 @@ import (
 	capb "github.com/letsencrypt/boulder/ca/proto"
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/config"
+	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/ctpolicy"
 	"github.com/letsencrypt/boulder/ctpolicy/ctconfig"
 	"github.com/letsencrypt/boulder/ctpolicy/loglist"
@@ -171,6 +172,13 @@ func main() {
 	pa, err := policy.New(c.PA.Identifiers, c.PA.Challenges, logger)
 	cmd.FailOnError(err, "Couldn't create PA")
 
+	if features.Get().DNSPersist01Enabled && !pa.ChallengeTypeEnabled(core.ChallengeTypeDNSPersist01) {
+		cmd.Fail("Feature flag DNSPersist01Enabled requires dns-persist-01 to be enabled in the PA")
+	}
+	if pa.ChallengeTypeEnabled(core.ChallengeTypeDNSPersist01) && !features.Get().DNSAccount01Enabled {
+		cmd.Fail("Feature flag DNSAccount01Enabled must be enabled to use dns-persist-01 challenge type")
+	}
+
 	if c.RA.HostnamePolicyFile == "" {
 		cmd.Fail("HostnamePolicyFile must be provided.")
 	}

cmd/boulder-wfe2/main.go

@@ -98,10 +98,14 @@ type Config struct {
 
 		Features features.Config
 
-		// DirectoryCAAIdentity is used for the /directory response's "meta"
-		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
-		// configuration value (this value is the one used to enforce CAA)
+		// DirectoryCAAIdentity is the CA's issuer domain name, used for:
+		//   1. /directory response: included in the "meta" caaIdentities field.
+		//   2. dns-persist-01 challenges: included in the issuer-domain-names field.
+		//
+		// Must match the VA's IssuerDomain. A mismatch will cause CAA and
+		// dns-persist-01 validation failures.
 		DirectoryCAAIdentity string `validate:"required,fqdn"`
+
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
@@ -399,12 +403,12 @@ func main() {
 		c.WFE.Unpause.JWTLifetime.Duration,
 		c.WFE.Unpause.URL,
 		c.WFE.BlockedOnDemandLabels,
+		c.WFE.DirectoryCAAIdentity,
 	)
 	cmd.FailOnError(err, "Unable to create WFE")
 
 	wfe.SubscriberAgreementURL = c.WFE.SubscriberAgreementURL
 	wfe.AllowOrigins = c.WFE.AllowOrigins
-	wfe.DirectoryCAAIdentity = c.WFE.DirectoryCAAIdentity
 	wfe.DirectoryWebsite = c.WFE.DirectoryWebsite
 	wfe.LegacyKeyIDPrefix = c.WFE.LegacyKeyIDPrefix
 

cmd/config.go

@@ -94,7 +94,7 @@ func (d *DBConfig) URL() (string, error) {
 // it should offer.
 type PAConfig struct {
 	DBConfig    `validate:"-"`
-	Challenges  map[core.AcmeChallenge]bool        `validate:"omitempty,dive,keys,oneof=http-01 dns-01 tls-alpn-01 dns-account-01,endkeys"`
+	Challenges  map[core.AcmeChallenge]bool        `validate:"omitempty,dive,keys,oneof=http-01 dns-01 tls-alpn-01 dns-account-01 dns-persist-01,endkeys"`
 	Identifiers map[identifier.IdentifierType]bool `validate:"omitempty,dive,keys,oneof=dns ip,endkeys"`
 }
 

core/challenges.go

@@ -27,3 +27,8 @@ func TLSALPNChallenge01(token string) Challenge {
 func DNSAccountChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeDNSAccount01, token)
 }
+
+// DNSPersistChallenge01 constructs a dns-persist-01 challenge.
+func DNSPersistChallenge01() Challenge {
+	return newChallenge(ChallengeTypeDNSPersist01, "")
+}

core/core_test.go

@@ -27,21 +27,25 @@ func TestChallenges(t *testing.T) {
 
 	token := NewToken()
 	http01 := HTTPChallenge01(token)
-	test.AssertNotError(t, http01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, http01.CheckPending(), "CheckPending returned an error")
 
 	dns01 := DNSChallenge01(token)
-	test.AssertNotError(t, dns01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, dns01.CheckPending(), "CheckPending returned an error")
 
 	dnsAccount01 := DNSAccountChallenge01(token)
-	test.AssertNotError(t, dnsAccount01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, dnsAccount01.CheckPending(), "CheckPending returned an error")
+
+	dnsPersist01 := DNSPersistChallenge01()
+	test.AssertNotError(t, dnsPersist01.CheckPending(), "CheckPending returned an error")
 
 	tlsalpn01 := TLSALPNChallenge01(token)
-	test.AssertNotError(t, tlsalpn01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, tlsalpn01.CheckPending(), "CheckPending returned an error")
 
 	test.Assert(t, ChallengeTypeHTTP01.IsValid(), "Refused valid challenge")
 	test.Assert(t, ChallengeTypeDNS01.IsValid(), "Refused valid challenge")
 	test.Assert(t, ChallengeTypeTLSALPN01.IsValid(), "Refused valid challenge")
 	test.Assert(t, ChallengeTypeDNSAccount01.IsValid(), "Refused valid challenge")
+	test.Assert(t, ChallengeTypeDNSPersist01.IsValid(), "Refused valid challenge")
 	test.Assert(t, !AcmeChallenge("nonsense-71").IsValid(), "Accepted invalid challenge")
 }
 

core/objects.go

@@ -42,12 +42,13 @@ const (
 	ChallengeTypeDNS01        = AcmeChallenge("dns-01")
 	ChallengeTypeTLSALPN01    = AcmeChallenge("tls-alpn-01")
 	ChallengeTypeDNSAccount01 = AcmeChallenge("dns-account-01")
+	ChallengeTypeDNSPersist01 = AcmeChallenge("dns-persist-01")
 )
 
 // IsValid tests whether the challenge is a known challenge
 func (c AcmeChallenge) IsValid() bool {
 	switch c {
-	case ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01:
+	case ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01, ChallengeTypeDNSPersist01:
 		return true
 	default:
 		return false
@@ -68,9 +69,12 @@ var OCSPStatusToInt = map[OCSPStatus]int{
 	OCSPStatusRevoked: ocsp.Revoked,
 }
 
-// DNSPrefix is attached to DNS names in DNS challenges
+// DNSPrefix is attached to DNS names in dns-01 and dns-account-01 challenges
 const DNSPrefix = "_acme-challenge"
 
+// DNSPersistPrefix is attached to DNS names in dns-persist-01 challenges.
+const DNSPersistPrefix = "_validation-persist"
+
 type RawCertificateRequest struct {
 	CSR JSONBuffer `json:"csr"` // The encoded CSR
 }
@@ -156,9 +160,13 @@ type Challenge struct {
 	Error *probs.ProblemDetails `json:"error,omitempty"`
 
 	// Token is a random value that uniquely identifies the challenge. It is used
-	// by all current challenges (http-01, tls-alpn-01, and dns-01).
+	// by all challenges except dns-persist-01.
 	Token string `json:"token,omitempty"`
 
+	// IssuerDomainNames contains the list of issuer domain name values accepted
+	// during dns-persist-01 challenge validation.
+	IssuerDomainNames []string `json:"issuer-domain-names,omitempty"`
+
 	// Contains information about URLs used or redirected to and IPs resolved and
 	// used
 	ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`
@@ -209,7 +217,7 @@ func (ch Challenge) RecordsSane() bool {
 			(ch.ValidationRecord[0].AddressUsed == netip.Addr{}) || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
 			return false
 		}
-	case ChallengeTypeDNS01, ChallengeTypeDNSAccount01:
+	case ChallengeTypeDNS01, ChallengeTypeDNSAccount01, ChallengeTypeDNSPersist01:
 		if len(ch.ValidationRecord) > 1 {
 			return false
 		}
@@ -226,14 +234,20 @@ func (ch Challenge) RecordsSane() bool {
 	return true
 }
 
-// CheckPending ensures that a challenge object is pending and has a token.
-// This is used before offering the challenge to the client, and before actually
-// validating a challenge.
+// CheckPending ensures that a challenge object is pending and, for challenge
+// types that require one, has a token. This is used before offering the
+// challenge to the client, and before actually validating a challenge.
 func (ch Challenge) CheckPending() error {
 	if ch.Status != StatusPending {
 		return fmt.Errorf("challenge is not pending")
 	}
 
+	// dns-persist-01 does not use a token; validation relies on persistent
+	// DNS TXT records containing the issuer-domain-name and accounturi.
+	if ch.Type == ChallengeTypeDNSPersist01 {
+		return nil
+	}
+
 	if !looksLikeAToken(ch.Token) {
 		return fmt.Errorf("token is missing or malformed")
 	}

core/objects_test.go

@@ -59,20 +59,31 @@ func TestChallengeSanityCheck(t *testing.T) {
   }`), &accountKey)
 	test.AssertNotError(t, err, "Error unmarshaling JWK")
 
-	types := []AcmeChallenge{ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01}
-	for _, challengeType := range types {
+	// Challenge types that require a token.
+	tokenTypes := []AcmeChallenge{ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01}
+	for _, challengeType := range tokenTypes {
 		chall := Challenge{
 			Type:   challengeType,
 			Status: StatusInvalid,
 		}
-		test.AssertError(t, chall.CheckPending(), "CheckConsistencyForClientOffer didn't return an error")
+		test.AssertError(t, chall.CheckPending(), "CheckPending didn't return an error")
 
 		chall.Status = StatusPending
-		test.AssertError(t, chall.CheckPending(), "CheckConsistencyForClientOffer didn't return an error")
+		test.AssertError(t, chall.CheckPending(), "CheckPending didn't return an error")
 
 		chall.Token = "KQqLsiS5j0CONR_eUXTUSUDNVaHODtc-0pD6ACif7U4"
-		test.AssertNotError(t, chall.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+		test.AssertNotError(t, chall.CheckPending(), "CheckPending returned an error")
 	}
+
+	// dns-persist-01 does not use a token.
+	chall := Challenge{
+		Type:   ChallengeTypeDNSPersist01,
+		Status: StatusInvalid,
+	}
+	test.AssertError(t, chall.CheckPending(), "CheckPending didn't return an error for invalid status")
+
+	chall.Status = StatusPending
+	test.AssertNotError(t, chall.CheckPending(), "CheckPending returned an error for dns-persist-01 without token")
 }
 
 func TestJSONBufferUnmarshal(t *testing.T) {

features/features.go

@@ -80,6 +80,12 @@ type Config struct {
 	// during certificate issuance. This flag must be set to true in the
 	// RA, VA, and WFE2 services for full functionality.
 	DNSAccount01Enabled bool
+
+	// DNSPersist01Enabled controls support for the dns-persist-01 challenge
+	// type. When enabled, the server can offer and validate this challenge
+	// during certificate issuance. This flag must be set to true in the
+	// RA and VA services for full functionality.
+	DNSPersist01Enabled bool
 }
 
 var fMu = new(sync.RWMutex)

policy/pa.go

@@ -607,15 +607,18 @@ func (pa *AuthorityImpl) checkBlocklists(ident identifier.ACMEIdentifier) error
 func (pa *AuthorityImpl) ChallengeTypesFor(ident identifier.ACMEIdentifier) ([]core.AcmeChallenge, error) {
 	switch ident.Type {
 	case identifier.TypeDNS:
-		// If the identifier is for a DNS wildcard name we only provide DNS-01
-		// or DNS-ACCOUNT-01 challenges, to comply with the BRs Sections 3.2.2.4.19
-		// and 3.2.2.4.20 stating that ACME HTTP-01 and TLS-ALPN-01 are not
-		// suitable for validating Wildcard Domains.
+		// If the identifier is for a DNS wildcard name we only provide DNS-01,
+		// DNS-ACCOUNT-01, or DNS-PERSIST-01 challenges, to comply with the BRs
+		// Sections 3.2.2.4.19 and 3.2.2.4.20 stating that ACME HTTP-01 and
+		// TLS-ALPN-01 are not suitable for validating Wildcard Domains.
 		if strings.HasPrefix(ident.Value, "*.") {
 			challenges := []core.AcmeChallenge{core.ChallengeTypeDNS01}
 			if features.Get().DNSAccount01Enabled {
 				challenges = append(challenges, core.ChallengeTypeDNSAccount01)
 			}
+			if features.Get().DNSPersist01Enabled {
+				challenges = append(challenges, core.ChallengeTypeDNSPersist01)
+			}
 			return challenges, nil
 		}
 
@@ -628,6 +631,9 @@ func (pa *AuthorityImpl) ChallengeTypesFor(ident identifier.ACMEIdentifier) ([]c
 		if features.Get().DNSAccount01Enabled {
 			challenges = append(challenges, core.ChallengeTypeDNSAccount01)
 		}
+		if features.Get().DNSPersist01Enabled {
+			challenges = append(challenges, core.ChallengeTypeDNSPersist01)
+		}
 		return challenges, nil
 	case identifier.TypeIP:
 		// Only HTTP-01 and TLS-ALPN-01 are suitable for IP address identifiers

policy/pa_test.go

@@ -23,6 +23,7 @@ func paImpl(t *testing.T) *AuthorityImpl {
 		core.ChallengeTypeDNS01:        true,
 		core.ChallengeTypeTLSALPN01:    true,
 		core.ChallengeTypeDNSAccount01: true,
+		core.ChallengeTypeDNSPersist01: true,
 	}
 
 	enabledIdentifiers := map[identifier.IdentifierType]bool{
@@ -463,8 +464,8 @@ func TestChallengeTypesFor(t *testing.T) {
 	t.Parallel()
 	pa := paImpl(t)
 
-	t.Run("DNSAccount01Enabled=true", func(t *testing.T) {
-		features.Set(features.Config{DNSAccount01Enabled: true})
+	t.Run("DNSAccount01Enabled=true,DNSPersist01Enabled=true", func(t *testing.T) {
+		features.Set(features.Config{DNSAccount01Enabled: true, DNSPersist01Enabled: true})
 		t.Cleanup(features.Reset)
 
 		testCases := []struct {
@@ -481,6 +482,7 @@ func TestChallengeTypesFor(t *testing.T) {
 					core.ChallengeTypeDNS01,
 					core.ChallengeTypeTLSALPN01,
 					core.ChallengeTypeDNSAccount01,
+					core.ChallengeTypeDNSPersist01,
 				},
 			},
 			{
@@ -489,6 +491,7 @@ func TestChallengeTypesFor(t *testing.T) {
 				wantChalls: []core.AcmeChallenge{
 					core.ChallengeTypeDNS01,
 					core.ChallengeTypeDNSAccount01,
+					core.ChallengeTypeDNSPersist01,
 				},
 			},
 			{
@@ -523,8 +526,8 @@ func TestChallengeTypesFor(t *testing.T) {
 		}
 	})
 
-	t.Run("DNSAccount01Enabled=false", func(t *testing.T) {
-		features.Set(features.Config{DNSAccount01Enabled: false})
+	t.Run("DNSAccount01Enabled=false,DNSPersist01Enabled=false", func(t *testing.T) {
+		features.Set(features.Config{DNSAccount01Enabled: false, DNSPersist01Enabled: false})
 		t.Cleanup(features.Reset)
 
 		testCases := []struct {
@@ -541,6 +544,7 @@ func TestChallengeTypesFor(t *testing.T) {
 					core.ChallengeTypeDNS01,
 					core.ChallengeTypeTLSALPN01,
 					// DNSAccount01 excluded
+					// DNSPersist01 excluded
 				},
 			},
 			{
@@ -549,6 +553,7 @@ func TestChallengeTypesFor(t *testing.T) {
 				wantChalls: []core.AcmeChallenge{
 					core.ChallengeTypeDNS01,
 					// DNSAccount01 excluded
+					// DNSPersist01 excluded
 				},
 			},
 			{