On Fri, Sep 11, 2020 at 03:41:08PM +0200, Patrik Wallström wrote:
> 
> 
> The missing piece of this puzzle is a standardized API for registrars
> (or DNS operators), where changes can be made for a zone at a registrar.
> Much like registry changes coming from registrars to a registry using
> EPP. Many attempts has been made for this, but for some reason,
> registrars like their lock-in models.
> 
> Perhaps some day there will be an attempt at both creating a really good
> open source zone editor that will be adopted by registrars and other DNS
> opreators, that also implements an API that is generally accepted. Then
> perhaps this API could become a standard for interacting at least with
> DNS operators for changing the content of a zone. (No, and I don't think
> RFC 2136 is good enough for this.)

One another problem is that even if one has programmatic API, the
DNS service has many servers (due to being intended for high-reliability
slow-update serving, not low-reliability fast-update serving), with
potentially painfully slow propagation times.

> For now, this is for many ACME clients a manual step. If you run your
> authoritative DNS service locally in your network, perhaps you could
> look into any options for automatically update the zone content.

I think the current best way is to have _acme-challenge be a CNAME
pointing to zone served by single master with no slaves that accepts
DNS UPDATE with TSIG HMAC-SHA256 authentication for ACME client to
update the records.

The single master is more than reliable enough for the purpose (as
there should be donzens of retries spread over time for renewal before
the certificate expires) and eliminates the propagation times.


-Ilari

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to