Am 07.07.2017 um 03:56 schrieb Alan Doherty:
At 09:40 06/07/2017 Thursday, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
You think there should be a proprietary plug-in for any combination of DNS-provider
<-> ACME-client?
not at all
(only mentioned plugin as many acme clients use separately maintained plugins
for each/every challenge type (as thats how they roll)
obviously monolithic ones such as the LE clients add support for whatever
dns-providers they wish themselves
but as with all challenge types having an optional (call user provided script X
to update dns/http/etc is worthwhile so people can roll their own)
Creating DNS challenges on the fly makes things quite complicated. Another way
to circumvent the whole challenge protocol for DNS would be to let the
ACME-client create a static RSA-key-pair an publish the public key in die
ACME-TXT-record. The ACME-client connects to the CA-server via TLS with it's
private key and the CA-server just checks if the public key in the
_acme-challenge.xxx.xxx TXT-record matches the private key of the TLS
connection.
I disagree its no more/less easy http challenge on-the-fly
I suspect Im not the only one running my own private and acl'd off from
internet, api on my dns master that receives updates, edits the zone and
responds when complete (to avoid exposing a public api that may be brute forced)
and I run a (3rd party) acme(letsencrypt) client that calls my
client-side-script for each challenge (these talk to my private api on the
master dns server)
all im saying is there are 3 sides to the conversation
client <1> acme-server <2> dns/http/other-auth-system <3> client
I think acme should only codify the communication on the two sides that the
acme-server converses on
as client developers can decide to support/neglect as many (or few) auth types
and http/dns/other providers as they like
A lot of DNS server providers do not allow to modify the zones on the
fly. My DNS server provider e.g. uses a hidden primary DNS for security
reasons. Changing zones is only possible manually via the web-interface.
A lot of other DNS server providers limit the update rate or use
timeouts. DNS was explicitly planned as a non-real-time system. In that
cases e.g. CertBot runs always in timeouts and cannot work
automatically. A static key in the DNS zone would solve that problem.
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme