Simon Ser <cont...@emersion.fr> wrote:
> dns-01 requires the ACME client to complete the challenge by updating a
DNS
> record. This is bothersome because this often requires interacting with
the
> DNS registry operator. This is typically done via vendor-specific APIs,
with
> access control handled via vendor-specific means (tokens, public keys,
> etc).
I guess if you've hosted your zone with the registrar, then that might be
true. my opinion: Don't do that.
Host your own zone, and/or use Dynamic DNS update (RFC3007), which is mature
technology.
There are some annoyances with TSIG until you realize that the key name
really matters.
> For instance, it would be possible to require users to add a short public
key
> in a DNS TXT record, then ask the ACME client to sign challenges with
that key.
> Something like this would significantly ease the development of ACME
> clients.
So, this would be be a client key challenge.
This would not be dns-01. It could certainly work, but it would be a new
effort.
Maybe we could use SIG(0), I'm not sure.
The question would be whether or not it would get implemented.
> Are there specific reasons why dns-01 requires updating a DNS record?
Yes, because it proves you control the zone.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
