wfe/ra/va/pa: Add support for draft-ietf-acme-dns-persist-00 (#8660)

Implement the dns-persist-01 ACME challenge type as specified in
draft-ietf-acme-dns-persist-00. This challenge proves domain control via
a persistent DNS TXT record at `_validation-persist.<domain>` containing
the CA's issuer domain name and the subscriber's account URI.

The following optional features are deliberately not implemented:

- Just-in-Time Validation (section 4.2): Would require the RA to perform
validation at order creation time, adding latency and complexity to
NewOrder with no current operational need.
- Subdomain validation via policy=wildcard (sections 5 and 6): as
implemented, the policy tag gates wildcard certificate issuance but does
not enable TXT records further up the domain hierarchy to satisfy
subdomain authorizations. The draft has no mechanism for the subscriber
to indicate which Authorization Domain Name (ADN) they want to validate
at, so the server would have to walk up the domain tree. We've proposed
that clients include an ADN field in their challenge POST payload to
solve this. We'll wait to see if the draft adopts some form of ADN
negotiation before implementing this functionality.
- Authorization reuse (section 7.8): The spec caps reuse to the TXT
record's TTL, and the BRs (section 3.2.2.4.22) caps it at 10 days. Since
typical TTLs are seconds to minutes, re-validating on every order is
simpler and avoids the need to plumb through and enforce TTL values.

Fixes #8527

Author: beautifulentropy

cmd/boulder-ra/main.go

@@ -11,6 +11,7 @@ import (
 	capb "github.com/letsencrypt/boulder/ca/proto"
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/config"
+	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/ctpolicy"
 	"github.com/letsencrypt/boulder/ctpolicy/ctconfig"
 	"github.com/letsencrypt/boulder/ctpolicy/loglist"
@@ -171,6 +172,13 @@ func main() {
 	pa, err := policy.New(c.PA.Identifiers, c.PA.Challenges, logger)
 	cmd.FailOnError(err, "Couldn't create PA")
 
+	if features.Get().DNSAccount01Enabled != pa.ChallengeTypeEnabled(core.ChallengeTypeDNSAccount01) {
+		cmd.Fail("Feature flag DNSAccount01Enabled and PA dns-account-01 challenge must both be enabled or disabled")
+	}
+	if features.Get().DNSPersist01Enabled != pa.ChallengeTypeEnabled(core.ChallengeTypeDNSPersist01) {
+		cmd.Fail("Feature flag DNSPersist01Enabled and PA dns-persist-01 challenge must both be enabled or disabled")
+	}
+
 	if c.RA.HostnamePolicyFile == "" {
 		cmd.Fail("HostnamePolicyFile must be provided.")
 	}

cmd/boulder-wfe2/main.go

@@ -99,10 +99,14 @@ type Config struct {
 
 		Features features.Config
 
-		// DirectoryCAAIdentity is used for the /directory response's "meta"
-		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
-		// configuration value (this value is the one used to enforce CAA)
+		// DirectoryCAAIdentity is the CA's issuer domain name, used for:
+		//   1. /directory response: included in the "meta" caaIdentities field.
+		//   2. dns-persist-01 challenges: included in the issuer-domain-names field.
+		//
+		// Must match the VA's IssuerDomain. A mismatch will cause CAA and
+		// dns-persist-01 validation failures.
 		DirectoryCAAIdentity string `validate:"required,fqdn"`
+
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
@@ -402,12 +406,12 @@ func main() {
 		c.WFE.Unpause.JWTLifetime.Duration,
 		c.WFE.Unpause.URL,
 		c.WFE.BlockedOnDemandLabels,
+		c.WFE.DirectoryCAAIdentity,
 	)
 	cmd.FailOnError(err, "Unable to create WFE")
 
 	wfe.SubscriberAgreementURL = c.WFE.SubscriberAgreementURL
 	wfe.AllowOrigins = c.WFE.AllowOrigins
-	wfe.DirectoryCAAIdentity = c.WFE.DirectoryCAAIdentity
 	wfe.DirectoryWebsite = c.WFE.DirectoryWebsite
 	wfe.LegacyKeyIDPrefix = c.WFE.LegacyKeyIDPrefix
 

cmd/config.go

@@ -94,7 +94,7 @@ func (d *DBConfig) URL() (string, error) {
 // it should offer.
 type PAConfig struct {
 	DBConfig    `validate:"-"`
-	Challenges  map[core.AcmeChallenge]bool        `validate:"omitempty,dive,keys,oneof=http-01 dns-01 tls-alpn-01 dns-account-01,endkeys"`
+	Challenges  map[core.AcmeChallenge]bool        `validate:"omitempty,dive,keys,oneof=http-01 dns-01 tls-alpn-01 dns-account-01 dns-persist-01,endkeys"`
 	Identifiers map[identifier.IdentifierType]bool `validate:"omitempty,dive,keys,oneof=dns ip,endkeys"`
 }
 

core/challenges.go

@@ -27,3 +27,8 @@ func TLSALPNChallenge01(token string) Challenge {
 func DNSAccountChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeDNSAccount01, token)
 }
+
+// DNSPersistChallenge01 constructs a dns-persist-01 challenge.
+func DNSPersistChallenge01() Challenge {
+	return newChallenge(ChallengeTypeDNSPersist01, "")
+}

core/core_test.go

@@ -27,21 +27,25 @@ func TestChallenges(t *testing.T) {
 
 	token := NewToken()
 	http01 := HTTPChallenge01(token)
-	test.AssertNotError(t, http01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, http01.CheckPending(), "CheckPending returned an error")
 
 	dns01 := DNSChallenge01(token)
-	test.AssertNotError(t, dns01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, dns01.CheckPending(), "CheckPending returned an error")
 
 	dnsAccount01 := DNSAccountChallenge01(token)
-	test.AssertNotError(t, dnsAccount01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, dnsAccount01.CheckPending(), "CheckPending returned an error")
+
+	dnsPersist01 := DNSPersistChallenge01()
+	test.AssertNotError(t, dnsPersist01.CheckPending(), "CheckPending returned an error")
 
 	tlsalpn01 := TLSALPNChallenge01(token)
-	test.AssertNotError(t, tlsalpn01.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+	test.AssertNotError(t, tlsalpn01.CheckPending(), "CheckPending returned an error")
 
 	test.Assert(t, ChallengeTypeHTTP01.IsValid(), "Refused valid challenge")
 	test.Assert(t, ChallengeTypeDNS01.IsValid(), "Refused valid challenge")
 	test.Assert(t, ChallengeTypeTLSALPN01.IsValid(), "Refused valid challenge")
 	test.Assert(t, ChallengeTypeDNSAccount01.IsValid(), "Refused valid challenge")
+	test.Assert(t, ChallengeTypeDNSPersist01.IsValid(), "Refused valid challenge")
 	test.Assert(t, !AcmeChallenge("nonsense-71").IsValid(), "Accepted invalid challenge")
 }
 

core/objects.go

@@ -42,12 +42,13 @@ const (
 	ChallengeTypeDNS01        = AcmeChallenge("dns-01")
 	ChallengeTypeTLSALPN01    = AcmeChallenge("tls-alpn-01")
 	ChallengeTypeDNSAccount01 = AcmeChallenge("dns-account-01")
+	ChallengeTypeDNSPersist01 = AcmeChallenge("dns-persist-01")
 )
 
 // IsValid tests whether the challenge is a known challenge
 func (c AcmeChallenge) IsValid() bool {
 	switch c {
-	case ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01:
+	case ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01, ChallengeTypeDNSPersist01:
 		return true
 	default:
 		return false
@@ -68,9 +69,12 @@ var OCSPStatusToInt = map[OCSPStatus]int{
 	OCSPStatusRevoked: ocsp.Revoked,
 }
 
-// DNSPrefix is attached to DNS names in DNS challenges
+// DNSPrefix is attached to DNS names in dns-01 and dns-account-01 challenges
 const DNSPrefix = "_acme-challenge"
 
+// DNSPersistPrefix is attached to DNS names in dns-persist-01 challenges.
+const DNSPersistPrefix = "_validation-persist"
+
 type RawCertificateRequest struct {
 	CSR JSONBuffer `json:"csr"` // The encoded CSR
 }
@@ -156,9 +160,13 @@ type Challenge struct {
 	Error *probs.ProblemDetails `json:"error,omitempty"`
 
 	// Token is a random value that uniquely identifies the challenge. It is used
-	// by all current challenges (http-01, tls-alpn-01, and dns-01).
+	// by all challenges except dns-persist-01.
 	Token string `json:"token,omitempty"`
 
+	// IssuerDomainNames contains the list of issuer domain name values accepted
+	// during dns-persist-01 challenge validation.
+	IssuerDomainNames []string `json:"issuer-domain-names,omitempty"`
+
 	// Contains information about URLs used or redirected to and IPs resolved and
 	// used
 	ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`
@@ -203,7 +211,7 @@ func (ch Challenge) RecordsSane() bool {
 		if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" || (ch.ValidationRecord[0].AddressUsed == netip.Addr{}) || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
 			return false
 		}
-	case ChallengeTypeDNS01, ChallengeTypeDNSAccount01:
+	case ChallengeTypeDNS01, ChallengeTypeDNSAccount01, ChallengeTypeDNSPersist01:
 		if len(ch.ValidationRecord) > 1 {
 			return false
 		}
@@ -218,14 +226,20 @@ func (ch Challenge) RecordsSane() bool {
 	return true
 }
 
-// CheckPending ensures that a challenge object is pending and has a token.
-// This is used before offering the challenge to the client, and before actually
-// validating a challenge.
+// CheckPending ensures that a challenge object is pending and, for challenge
+// types that require one, has a token. This is used before offering the
+// challenge to the client, and before actually validating a challenge.
 func (ch Challenge) CheckPending() error {
 	if ch.Status != StatusPending {
 		return fmt.Errorf("challenge is not pending")
 	}
 
+	// dns-persist-01 does not use a token; validation relies on persistent
+	// DNS TXT records containing the issuer-domain-name and accounturi.
+	if ch.Type == ChallengeTypeDNSPersist01 {
+		return nil
+	}
+
 	if !looksLikeAToken(ch.Token) {
 		return fmt.Errorf("token is missing or malformed")
 	}

core/objects_test.go

@@ -59,20 +59,31 @@ func TestChallengeSanityCheck(t *testing.T) {
   }`), &accountKey)
 	test.AssertNotError(t, err, "Error unmarshaling JWK")
 
-	types := []AcmeChallenge{ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01}
-	for _, challengeType := range types {
+	// Challenge types that require a token.
+	tokenTypes := []AcmeChallenge{ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01, ChallengeTypeDNSAccount01}
+	for _, challengeType := range tokenTypes {
 		chall := Challenge{
 			Type:   challengeType,
 			Status: StatusInvalid,
 		}
-		test.AssertError(t, chall.CheckPending(), "CheckConsistencyForClientOffer didn't return an error")
+		test.AssertError(t, chall.CheckPending(), "CheckPending didn't return an error")
 
 		chall.Status = StatusPending
-		test.AssertError(t, chall.CheckPending(), "CheckConsistencyForClientOffer didn't return an error")
+		test.AssertError(t, chall.CheckPending(), "CheckPending didn't return an error")
 
 		chall.Token = "KQqLsiS5j0CONR_eUXTUSUDNVaHODtc-0pD6ACif7U4"
-		test.AssertNotError(t, chall.CheckPending(), "CheckConsistencyForClientOffer returned an error")
+		test.AssertNotError(t, chall.CheckPending(), "CheckPending returned an error")
 	}
+
+	// dns-persist-01 does not use a token.
+	chall := Challenge{
+		Type:   ChallengeTypeDNSPersist01,
+		Status: StatusInvalid,
+	}
+	test.AssertError(t, chall.CheckPending(), "CheckPending didn't return an error for invalid status")
+
+	chall.Status = StatusPending
+	test.AssertNotError(t, chall.CheckPending(), "CheckPending returned an error for dns-persist-01 without token")
 }
 
 func TestJSONBufferUnmarshal(t *testing.T) {

core/util.go

@@ -27,6 +27,8 @@ import (
 	"unicode"
 
 	"github.com/go-jose/go-jose/v4"
+	"golang.org/x/net/idna"
+	"golang.org/x/text/unicode/norm"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/durationpb"
@@ -398,3 +400,22 @@ func IsCanceled(err error) bool {
 func Command() string {
 	return path.Base(os.Args[0])
 }
+
+// NormalizeIssuerDomainName normalizes an RFC 8659 issuer-domain-name per the
+// recommended algorithm in draft-ietf-acme-dns-persist-00, Section 9.1.1:
+// case-fold to lowercase, apply Unicode NFC normalization, convert to A-label
+// (Punycode), remove any trailing dot, and ensure the result is no more than
+// 253 octets in length. If normalization fails, an error is returned.
+func NormalizeIssuerDomainName(name string) (string, error) {
+	name = strings.ToLower(name)
+	name = norm.NFC.String(name)
+	name, err := idna.Lookup.ToASCII(name)
+	if err != nil {
+		return "", fmt.Errorf("converting issuer domain name %q to ASCII: %w", name, err)
+	}
+	name = strings.TrimSuffix(name, ".")
+	if len(name) > 253 {
+		return "", fmt.Errorf("issuer domain name %q exceeds 253 octets (%d)", name, len(name))
+	}
+	return name, nil
+}

core/util_test.go

@@ -426,3 +426,54 @@ func TestIsCanceled(t *testing.T) {
 		t.Errorf("Expected random error to not be canceled, but was.")
 	}
 }
+
+func TestNormalizeIssuerDomainName(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name      string
+		input     string
+		want      string
+		wantError bool
+	}{
+		{
+			name:  "Already normalized",
+			input: "ca.example",
+			want:  "ca.example",
+		},
+		{
+			name:  "Normalizes uppercase and trailing dot",
+			input: "CA.EXAMPLE.",
+			want:  "ca.example",
+		},
+		{
+			name:  "Normalizes IDNA issuer",
+			input: "BÜCHER.example",
+			want:  "xn--bcher-kva.example",
+		},
+		{
+			name:      "Rejects invalid issuer with underscore",
+			input:     "ca_.example",
+			wantError: true,
+		},
+		{
+			name:      "Rejects too-long issuer",
+			input:     strings.Repeat("a", 63) + "." + strings.Repeat("b", 63) + "." + strings.Repeat("c", 63) + "." + strings.Repeat("d", 63),
+			wantError: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := NormalizeIssuerDomainName(tc.input)
+			if tc.wantError {
+				test.AssertError(t, err, "expected normalization error")
+				return
+			}
+			test.AssertNotError(t, err, "unexpected normalization error")
+			test.AssertEquals(t, got, tc.want)
+		})
+	}
+}

features/features.go

@@ -80,6 +80,12 @@ type Config struct {
 	// during certificate issuance. This flag must be set to true in the
 	// RA and VA services for full functionality.
 	DNSAccount01Enabled bool
+
+	// DNSPersist01Enabled controls support for the dns-persist-01 challenge
+	// type. When enabled, the server can offer and validate this challenge
+	// during certificate issuance. This flag must be set to true in the
+	// RA and VA services for full functionality.
+	DNSPersist01Enabled bool
 }
 
 var fMu = new(sync.RWMutex)