k-v.io: protect against scammers seeking wildcards

Prohibit setting DNS-01 challenge TXT record `_acme-challenge.k-v.io` Although it may appear the TXT record can be set or deleted, it's hardcoded to the string, "Please don't try to procure a k-v.io cert via DNS-01 challenge". Setting a custom value was easier than writing a special code path. Special thanks to [Alan Liang](http://symb.olic.link/): > ... one could easily add (and modify) a TXT record at _acme-challenge.k-v.io, which I believe is used for verifying domain ownership at various cert providers, so anyone could in theory obtain valid SSL certs for k-v.io and *.k-v.io
2025-10-07 00:23:44 +08:00 · 2022-04-25 19:23:21 -07:00
parent 6dadfd6b5b
commit b7d8c4d16b
2 changed files with 18 additions and 4 deletions
--- a/src/sslip.io-dns-server/integration_test.go
+++ b/src/sslip.io-dns-server/integration_test.go
@@ -157,6 +157,14 @@ var _ = Describe("sslip.io-dns-server", func() {
 				"@127.0.0.1 my-key.k-v.io txt +short",
 				`\A\z`,
 				`TypeTXT my-key.k-v.io. \? nil, SOA my-key.k-v.io. briancunnie.gmail.com. 2022020800 900 900 1800 180\n$`),
+			Entry(`setting a TXT for _acme-challenge.k-v.io appears to work (spoiler: it doesn't)'"`,
+				"@127.0.0.1 put.sneaky-boy._acme-challenge.k-v.io txt +short",
+				`sneaky-boy`,
+				`TypeTXT put.sneaky-boy._acme-challenge.k-v.io. \? \["sneaky-boy"\]`),
+			Entry(`get a TXT for _acme-challenge.k-v.io is blocked to foil Let's Encrypt ACME DNS-01 challenge"`,
+				"@127.0.0.1 _acme-challenge.k-v.io txt +short",
+				`Please don't try to procure a k-v.io cert via DNS-01 challenge`,
+				`TypeTXT _acme-challenge.k-v.io. \? \["Please don't try to procure a k-v.io cert via DNS-01 challenge"\]`),
 		)
 	})
 	Describe("for more complex assertions", func() {