feat: Support for dns-account-01 Challenge (#8149)

This pull request introduces support for the `dns-account-01` challenge
type as specified in draft-ietf-acme-dns-account-label-01
(https://datatracker.ietf.org/doc/draft-ietf-acme-dns-account-label/01/),
building upon PR #8140 which
introduced the core type definitions.

Core Implementation:
- The policy engine in `policy/pa.go` is updated to offer the
`dns-account-01` challenge for both standard and wildcard domains.
- The main validation authority logic in `va/va.go` is updated to
recognize `dns-account-01` challenges and route them to the correct
validation routine, passing the necessary account information.
- The core validation logic for `dns-account-01` is implemented in
`va/dns.go`, which calculates the account-specific DNS label and
verifies the corresponding TXT record.

Configuration:
- The `PAConfig` is updated to recognize `dns-account-01` as a valid
challenge type which can be enabled in the PA config.
- A new `DNSAccount01Enabled` feature flag is introduced in
`features/features.go`. If this flag is not set, then the PA will not
offer the new challenge type, and the VA will refuse to validate this
challenge type.

Testing:
- A new suite of integration tests
(`test/integration/dns_account_01_test.go`) has been added to cover
various scenarios, including successful validation, incorrect TXT
records, and wildcard domains.
- The PA unit tests have been expanded to cover cases where the
`dns-account-01` feature is both enabled and disabled.
- The VA unit tests now include `va/dns_account_test.go`, specifically
targeting the `dns-account-01` validation logic.
- The mock DNS client (`bdns/mocks.go`) has been updated to simulate
various `dns-account-01` responses.
- The challenge test server client
(`test/chall-test-srv-client/client.go`) now includes methods for adding
and removing `dns-account-01` challenge responses.

These changes provide a complete implementation of the `dns-account-01`
challenge, including the necessary logic, configuration, and
comprehensive testing to ensure its correctness and reliability.

Author: sheurich

bdns/mocks.go

@@ -20,6 +20,43 @@ type MockClient struct {
 
 // LookupTXT is a mock
 func (mock *MockClient) LookupTXT(_ context.Context, hostname string) ([]string, ResolverAddrs, error) {
+	// Use the example account-specific label prefix derived from
+	// "https://example.com/acme/acct/ExampleAccount"
+	const accountLabelPrefix = "_ujmmovf2vn55tgye._acme-challenge"
+
+	if hostname == accountLabelPrefix+".servfail.com" {
+		// Mirror dns-01 servfail behaviour
+		return nil, ResolverAddrs{"MockClient"}, fmt.Errorf("SERVFAIL")
+	}
+	if hostname == accountLabelPrefix+".good-dns01.com" {
+		// Mirror dns-01 good record
+		// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
+		//               + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
+		return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, ResolverAddrs{"MockClient"}, nil
+	}
+	if hostname == accountLabelPrefix+".wrong-dns01.com" {
+		// Mirror dns-01 wrong record
+		return []string{"a"}, ResolverAddrs{"MockClient"}, nil
+	}
+	if hostname == accountLabelPrefix+".wrong-many-dns01.com" {
+		// Mirror dns-01 wrong-many record
+		return []string{"a", "b", "c", "d", "e"}, ResolverAddrs{"MockClient"}, nil
+	}
+	if hostname == accountLabelPrefix+".long-dns01.com" {
+		// Mirror dns-01 long record
+		return []string{"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}, ResolverAddrs{"MockClient"}, nil
+	}
+	if hostname == accountLabelPrefix+".no-authority-dns01.com" {
+		// Mirror dns-01 no-authority good record
+		// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
+		//               + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
+		return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, ResolverAddrs{"MockClient"}, nil
+	}
+	if hostname == accountLabelPrefix+".empty-txts.com" {
+		// Mirror dns-01 zero TXT records
+		return []string{}, ResolverAddrs{"MockClient"}, nil
+	}
+
 	if hostname == "_acme-challenge.servfail.com" {
 		return nil, ResolverAddrs{"MockClient"}, fmt.Errorf("SERVFAIL")
 	}
@@ -48,6 +85,8 @@ func (mock *MockClient) LookupTXT(_ context.Context, hostname string) ([]string,
 	if hostname == "_acme-challenge.empty-txts.com" {
 		return []string{}, ResolverAddrs{"MockClient"}, nil
 	}
+
+	// Default fallback
 	return []string{"hostname"}, ResolverAddrs{"MockClient"}, nil
 }
 

cmd/config.go

@@ -94,7 +94,7 @@ func (d *DBConfig) URL() (string, error) {
 // it should offer.
 type PAConfig struct {
 	DBConfig    `validate:"-"`
-	Challenges  map[core.AcmeChallenge]bool        `validate:"omitempty,dive,keys,oneof=http-01 dns-01 tls-alpn-01,endkeys"`
+	Challenges  map[core.AcmeChallenge]bool        `validate:"omitempty,dive,keys,oneof=http-01 dns-01 tls-alpn-01 dns-account-01,endkeys"`
 	Identifiers map[identifier.IdentifierType]bool `validate:"omitempty,dive,keys,oneof=dns ip,endkeys"`
 }
 

features/features.go

@@ -80,6 +80,12 @@ type Config struct {
 	// StoreARIReplacesInOrders causes the SA to store and retrieve the optional
 	// ARI replaces field in the orders table.
 	StoreARIReplacesInOrders bool
+
+	// DNSAccount01Enabled controls support for the dns-account-01 challenge
+	// type. When enabled, the server can offer and validate this challenge
+	// during certificate issuance. This flag must be set to true in the
+	// RA, VA, and WFE2 services for full functionality.
+	DNSAccount01Enabled bool
 }
 
 var fMu = new(sync.RWMutex)

policy/pa.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/letsencrypt/boulder/core"
 	berrors "github.com/letsencrypt/boulder/errors"
+	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/iana"
 	"github.com/letsencrypt/boulder/identifier"
 	blog "github.com/letsencrypt/boulder/log"
@@ -606,20 +607,28 @@ func (pa *AuthorityImpl) checkBlocklists(ident identifier.ACMEIdentifier) error
 func (pa *AuthorityImpl) ChallengeTypesFor(ident identifier.ACMEIdentifier) ([]core.AcmeChallenge, error) {
 	switch ident.Type {
 	case identifier.TypeDNS:
-		// If the identifier is for a DNS wildcard name we only provide a DNS-01
-		// challenge, to comply with the BRs Sections 3.2.2.4.19 and 3.2.2.4.20
-		// stating that ACME HTTP-01 and TLS-ALPN-01 are not suitable for validating
-		// Wildcard Domains.
+		// If the identifier is for a DNS wildcard name we only provide DNS-01
+		// or DNS-ACCOUNT-01 challenges, to comply with the BRs Sections 3.2.2.4.19
+		// and 3.2.2.4.20 stating that ACME HTTP-01 and TLS-ALPN-01 are not
+		// suitable for validating Wildcard Domains.
 		if strings.HasPrefix(ident.Value, "*.") {
-			return []core.AcmeChallenge{core.ChallengeTypeDNS01}, nil
+			challenges := []core.AcmeChallenge{core.ChallengeTypeDNS01}
+			if features.Get().DNSAccount01Enabled {
+				challenges = append(challenges, core.ChallengeTypeDNSAccount01)
+			}
+			return challenges, nil
 		}
 
 		// Return all challenge types we support for non-wildcard DNS identifiers.
-		return []core.AcmeChallenge{
+		challenges := []core.AcmeChallenge{
 			core.ChallengeTypeHTTP01,
 			core.ChallengeTypeDNS01,
 			core.ChallengeTypeTLSALPN01,
-		}, nil
+		}
+		if features.Get().DNSAccount01Enabled {
+			challenges = append(challenges, core.ChallengeTypeDNSAccount01)
+		}
+		return challenges, nil
 	case identifier.TypeIP:
 		// Only HTTP-01 and TLS-ALPN-01 are suitable for IP address identifiers
 		// per RFC 8738, Sec. 4.

policy/pa_test.go

@@ -19,9 +19,10 @@ import (
 
 func paImpl(t *testing.T) *AuthorityImpl {
 	enabledChallenges := map[core.AcmeChallenge]bool{
-		core.ChallengeTypeHTTP01:    true,
-		core.ChallengeTypeDNS01:     true,
-		core.ChallengeTypeTLSALPN01: true,
+		core.ChallengeTypeHTTP01:       true,
+		core.ChallengeTypeDNS01:        true,
+		core.ChallengeTypeTLSALPN01:    true,
+		core.ChallengeTypeDNSAccount01: true,
 	}
 
 	enabledIdentifiers := map[identifier.IdentifierType]bool{
@@ -457,56 +458,122 @@ func TestChallengeTypesFor(t *testing.T) {
 	t.Parallel()
 	pa := paImpl(t)
 
-	testCases := []struct {
-		name       string
-		ident      identifier.ACMEIdentifier
-		wantChalls []core.AcmeChallenge
-		wantErr    string
-	}{
-		{
-			name:  "dns",
-			ident: identifier.NewDNS("example.com"),
-			wantChalls: []core.AcmeChallenge{
-				core.ChallengeTypeHTTP01, core.ChallengeTypeDNS01, core.ChallengeTypeTLSALPN01,
+	t.Run("DNSAccount01Enabled=true", func(t *testing.T) {
+		features.Set(features.Config{DNSAccount01Enabled: true})
+		t.Cleanup(features.Reset)
+
+		testCases := []struct {
+			name       string
+			ident      identifier.ACMEIdentifier
+			wantChalls []core.AcmeChallenge
+			wantErr    string
+		}{
+			{
+				name:  "dns",
+				ident: identifier.NewDNS("example.com"),
+				wantChalls: []core.AcmeChallenge{
+					core.ChallengeTypeHTTP01,
+					core.ChallengeTypeDNS01,
+					core.ChallengeTypeTLSALPN01,
+					core.ChallengeTypeDNSAccount01,
+				},
 			},
-		},
-		{
-			name:  "dns wildcard",
-			ident: identifier.NewDNS("*.example.com"),
-			wantChalls: []core.AcmeChallenge{
-				core.ChallengeTypeDNS01,
+			{
+				name:  "dns wildcard",
+				ident: identifier.NewDNS("*.example.com"),
+				wantChalls: []core.AcmeChallenge{
+					core.ChallengeTypeDNS01,
+					core.ChallengeTypeDNSAccount01,
+				},
 			},
-		},
-		{
-			name:  "ip",
-			ident: identifier.NewIP(netip.MustParseAddr("1.2.3.4")),
-			wantChalls: []core.AcmeChallenge{
-				core.ChallengeTypeHTTP01, core.ChallengeTypeTLSALPN01,
+			{
+				name:  "ip",
+				ident: identifier.NewIP(netip.MustParseAddr("1.2.3.4")),
+				wantChalls: []core.AcmeChallenge{
+					core.ChallengeTypeHTTP01, core.ChallengeTypeTLSALPN01,
+				},
 			},
-		},
-		{
-			name:    "invalid",
-			ident:   identifier.ACMEIdentifier{Type: "fnord", Value: "uh-oh, Spaghetti-Os[tm]"},
-			wantErr: "unrecognized identifier type",
-		},
-	}
+			{
+				name:    "invalid",
+				ident:   identifier.ACMEIdentifier{Type: "fnord", Value: "uh-oh, Spaghetti-Os[tm]"},
+				wantErr: "unrecognized identifier type",
+			},
+		}
 
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			challs, err := pa.ChallengeTypesFor(tc.ident)
+		for _, tc := range testCases {
+			tc := tc // Capture range variable
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+				challs, err := pa.ChallengeTypesFor(tc.ident)
 
-			if len(tc.wantChalls) != 0 {
-				test.AssertNotError(t, err, "should have succeeded")
-				test.AssertDeepEquals(t, challs, tc.wantChalls)
-			}
+				if len(tc.wantChalls) != 0 {
+					test.AssertNotError(t, err, "should have succeeded")
+					test.AssertDeepEquals(t, challs, tc.wantChalls)
+				}
 
-			if tc.wantErr != "" {
-				test.AssertError(t, err, "should have errored")
-				test.AssertContains(t, err.Error(), tc.wantErr)
-			}
-		})
-	}
+				if tc.wantErr != "" {
+					test.AssertError(t, err, "should have errored")
+					test.AssertContains(t, err.Error(), tc.wantErr)
+				}
+			})
+		}
+	})
+
+	t.Run("DNSAccount01Enabled=false", func(t *testing.T) {
+		features.Set(features.Config{DNSAccount01Enabled: false})
+		t.Cleanup(features.Reset)
+
+		testCases := []struct {
+			name       string
+			ident      identifier.ACMEIdentifier
+			wantChalls []core.AcmeChallenge
+			wantErr    string
+		}{
+			{
+				name:  "dns",
+				ident: identifier.NewDNS("example.com"),
+				wantChalls: []core.AcmeChallenge{
+					core.ChallengeTypeHTTP01,
+					core.ChallengeTypeDNS01,
+					core.ChallengeTypeTLSALPN01,
+					// DNSAccount01 excluded
+				},
+			},
+			{
+				name:  "wildcard",
+				ident: identifier.NewDNS("*.example.com"),
+				wantChalls: []core.AcmeChallenge{
+					core.ChallengeTypeDNS01,
+					// DNSAccount01 excluded
+				},
+			},
+			{
+				name:  "ip",
+				ident: identifier.NewIP(netip.MustParseAddr("1.2.3.4")),
+				wantChalls: []core.AcmeChallenge{
+					core.ChallengeTypeHTTP01, core.ChallengeTypeTLSALPN01,
+				},
+			},
+		}
+
+		for _, tc := range testCases {
+			tc := tc // Capture range variable
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+				challs, err := pa.ChallengeTypesFor(tc.ident)
+
+				if len(tc.wantChalls) != 0 {
+					test.AssertNotError(t, err, "should have succeeded")
+					test.AssertDeepEquals(t, challs, tc.wantChalls)
+				}
+
+				if tc.wantErr != "" {
+					test.AssertError(t, err, "should have errored")
+					test.AssertContains(t, err.Error(), tc.wantErr)
+				}
+			})
+		}
+	})
 }
 
 // TestMalformedExactBlocklist tests that loading a YAML policy file with an

test/chall-test-srv-client/client.go

@@ -3,6 +3,7 @@ package challtestsrvclient
 import (
 	"bytes"
 	"crypto/sha256"
+	"encoding/base32"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -400,6 +401,80 @@ func (c *Client) RemoveDNS01Response(host string) ([]byte, error) {
 	return resp, nil
 }
 
+// AddDNSAccount01Response adds an ACME DNS-ACCOUNT-01 challenge response for the
+// provided host to the challenge test server's DNS interfaces. The TXT record
+// name is constructed using the accountURL, and the TXT record value is the
+// base64url encoded SHA-256 hash of the provided value. Any failure returns an
+// error that includes the relevant operation and the payload.
+func (c *Client) AddDNSAccount01Response(accountURL, host, value string) ([]byte, error) {
+	if accountURL == "" {
+		return nil, fmt.Errorf("accountURL cannot be empty")
+	}
+	if host == "" {
+		return nil, fmt.Errorf("host cannot be empty")
+	}
+	label, err := calculateDNSAccount01Label(accountURL)
+	if err != nil {
+		return nil, fmt.Errorf("error calculating DNS label: %v", err)
+	}
+	host = fmt.Sprintf("%s._acme-challenge.%s", label, host)
+	if !strings.HasSuffix(host, ".") {
+		host += "."
+	}
+	h := sha256.Sum256([]byte(value))
+	value = base64.RawURLEncoding.EncodeToString(h[:])
+	payload := map[string]string{"host": host, "value": value}
+	resp, err := c.postURL(addTXT, payload)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"while adding DNS-ACCOUNT-01 response for host %q, val %q (payload: %v): %w",
+			host, value, payload, err,
+		)
+	}
+	return resp, nil
+}
+
+// RemoveDNSAccount01Response removes an ACME DNS-ACCOUNT-01 challenge
+// response for the provided host and accountURL combination from the
+// challenge test server's DNS interfaces. The TXT record name is
+// constructed using the accountURL. Any failure returns an error
+// that includes both the relevant operation and the payload.
+func (c *Client) RemoveDNSAccount01Response(accountURL, host string) ([]byte, error) {
+	if accountURL == "" {
+		return nil, fmt.Errorf("accountURL cannot be empty")
+	}
+	if host == "" {
+		return nil, fmt.Errorf("host cannot be empty")
+	}
+	label, err := calculateDNSAccount01Label(accountURL)
+	if err != nil {
+		return nil, fmt.Errorf("error calculating DNS label: %v", err)
+	}
+	host = fmt.Sprintf("%s._acme-challenge.%s", label, host)
+	if !strings.HasSuffix(host, ".") {
+		host += "."
+	}
+	payload := map[string]string{"host": host}
+	resp, err := c.postURL(delTXT, payload)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"while removing DNS-ACCOUNT-01 response for host %q (payload: %v): %w",
+			host, payload, err,
+		)
+	}
+	return resp, nil
+}
+
+func calculateDNSAccount01Label(accountURL string) (string, error) {
+	if accountURL == "" {
+		return "", fmt.Errorf("account URL cannot be empty")
+	}
+
+	h := sha256.Sum256([]byte(accountURL))
+	label := fmt.Sprintf("_%s", strings.ToLower(base32.StdEncoding.EncodeToString(h[:10])))
+	return label, nil
+}
+
 // DNSRequest is a single DNS request in the request history.
 type DNSRequest struct {
 	Question struct {