Extend ACME self check to check CAA records #1325

DanielMorsing · 2019-02-06T14:03:02Z

What this PR does / why we need it:
This PR implements a rudimentary CAA check for ACME clients, making sure that users don't run into LE rate limits with improperly set up DNS

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged):
fixes #211

Special notes for your reviewer:

Release note:

Check for CAA records during ACME issuance

This isn't needed since we now cache clients Signed-off-by: Daniel Morsing <dmo@jetstack.io>

Signed-off-by: Daniel Morsing <dmo@jetstack.io>

jetstack-bot · 2019-02-06T14:03:15Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DanielMorsing

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [DanielMorsing]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

munnerz · 2019-02-06T14:05:30Z

pkg/controller/acmechallenges/sync.go

+	}
+	// TODO(dmo): figure out if missing CAA identity in directory
+	// means no CAA check is performed by ACME server or if any valid
+	// CAA would stop issuance (strongly suspect the former)


+1 I feel like the former is probably the case here.

@cpu do you have any insight?

There's no absolute guarantee that if a CA doesn't include a caaIdentities field in the directory metadata that it won't check CAA. For instance, Let's Encrypt was checking CAA prior to the field being specified or included.

That said, if the CA doesn't include any caaIdentities there won't be a way for an ACME client to programmatically check whether issuance will pass a CAA check or not. I think for your purposes it would be correct to assume there's no CAA since you can't do much else besides hardcode ACME server URLs -> CAA identities as they arise (ick).

pkg/controller/acmechallenges/sync.go

munnerz · 2019-02-06T14:10:37Z

pkg/issuer/acme/dns/util/wait.go

+		var err error
+		for i := 0; i < 8; i++ {
+			//TODO(dmo): figure out if we need these servers to be configurable as well
+			msg, err = dnsQuery(queryDomain, dns.TypeCAA, RecursiveNameservers, true)


😅 I can totally see something going wrong here with split horizon DNS

munnerz · 2019-02-06T14:11:16Z

pkg/issuer/acme/dns/util/wait.go

+		for i := 0; i < 8; i++ {
+			//TODO(dmo): figure out if we need these servers to be configurable as well
+			msg, err = dnsQuery(queryDomain, dns.TypeCAA, RecursiveNameservers, true)
+			if err != nil {


If a zone does not have a CAA record set, will it return SERVFAIL and cause issues?

Do we use an old version of the miekg DNS library that turned certain "successful" DNS queries into errors? otherwise this error should only happen on actual communications failures

If a zone returns SERVFAIL (or NOTIMPL) you would want to catch that in this precheck. Let's Encrypt would reject either case as an invalid CAA policy: https://letsencrypt.org/docs/caa/#servfail

pkg/issuer/acme/dns/util/wait.go

munnerz · 2019-02-06T14:14:10Z

pkg/issuer/acme/dns/util/wait.go

+
+		index := strings.Index(fqdn, ".")
+		if index == -1 {
+			panic("should never happen")


I'd rather us return an error here than panic - triggering a resync with backoff feels safer than ungraceful termination.

"I've never heard of a misbehaving DNS server before" - someone, somewhere

So, this is all on our side. It turns the query
www.example.org. into
example.org. and then
org.

I think I can just remove it, but I wrote it as pure instinct because strings.Index going straight into an slice operation has bitten me in the past

Signed-off-by: Daniel Morsing <dmo@jetstack.io>

munnerz · 2019-02-06T14:22:23Z

pkg/issuer/acme/dns/util/wait.go

+
+	if !matchCAA(caas, issuerSet, iswildcard) {
+		// TODO(dmo): better error message
+		return fmt.Errorf("CAA record does not match issuer")


Including expected and actual here would probably suffice 😄

pkg/issuer/acme/dns/util/wait_test.go

DanielMorsing · 2019-02-06T14:33:51Z

/retest

munnerz · 2019-02-08T10:35:08Z

Could you update this PR to also honour the --dns01-recursive-nameservers flag, and then I think it's good to merge? 😄

Signed-off-by: Daniel Morsing <dmo@jetstack.io>

munnerz · 2019-02-12T16:35:18Z

/lgtm

Daniel Morsing added 4 commits February 4, 2019 13:30

remove cached acme URI

7a8f5be

This isn't needed since we now cache clients Signed-off-by: Daniel Morsing <dmo@jetstack.io>

add Discover method to interface

4db43bf

Signed-off-by: Daniel Morsing <dmo@jetstack.io>

first draft CAA checking

bb853e5

Signed-off-by: Daniel Morsing <dmo@jetstack.io>

follow CNAMEs, go up labels in CAA check

ec1305c

Signed-off-by: Daniel Morsing <dmo@jetstack.io>

jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Feb 6, 2019

jetstack-bot requested a review from kragniz February 6, 2019 14:03

jetstack-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 6, 2019

jetstack-bot added area/acme Indicates a PR directly modifies the ACME Issuer code approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme/dns01 Indicates a PR modifies ACME DNS01 provider code labels Feb 6, 2019