Simon Ser <cont...@emersion.fr> wrote:
    > dns-01 requires the ACME client to complete the challenge by updating a 
DNS
    > record. This is bothersome because this often requires interacting with 
the
    > DNS registry operator. This is typically done via vendor-specific APIs, 
with
    > access control handled via vendor-specific means (tokens, public keys,
    > etc).

I guess if you've hosted your zone with the registrar, then that might be
true.  my opinion: Don't do that.

Host your own zone, and/or use Dynamic DNS update (RFC3007), which is mature 
technology.
There are some annoyances with TSIG until you realize that the key name
really matters.

    > For instance, it would be possible to require users to add a short public 
key
    > in a DNS TXT record, then ask the ACME client to sign challenges with 
that key.
    > Something like this would significantly ease the development of ACME
    > clients.

So, this would be be a client key challenge.
This would not be dns-01.  It could certainly work, but it would be a new 
effort.
Maybe we could use SIG(0), I'm not sure.
The question would be whether or not it would get implemented.

    > Are there specific reasons why dns-01 requires updating a DNS record?

Yes, because it proves you control the zone.

--
Michael Richardson <mcr+i...@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to