On Fri, Jul 07, 2017 at 07:04:27AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics wrote: > > A lot of DNS server providers do not allow to modify the zones on the fly. > My DNS server provider e.g. uses a hidden primary DNS for security reasons. > Changing zones is only possible manually via the web-interface. A lot of > other DNS server providers limit the update rate or use timeouts. DNS was > explicitly planned as a non-real-time system. In that cases e.g. CertBot > runs always in timeouts and cannot work automatically. A static key in the > DNS zone would solve that problem.
However, CABForum BRs (which all public CAs are required to abide by) prohibit static keys in DNS (funkily enough, BRs seem to allow static keys in WHOIS). I think if one wanted to change that, next step would be to make a fleshed out proposal for such validation method and a through security analysis of it (in order to guide possible changes to BRs). As note: The time it takes from a CABForum member positing a ballot with two endorsers to incorporation of said ballot (if ballot passes vote and there are no IPR issues) into BRs is about 7 weeks. Of course, with complicated ballots, it takes a lot of time to prepare the ballot. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
