Simon Ser <cont...@emersion.fr> wrote: > dns-01 requires the ACME client to complete the challenge by updating a DNS > record. This is bothersome because this often requires interacting with the > DNS registry operator. This is typically done via vendor-specific APIs, with > access control handled via vendor-specific means (tokens, public keys, > etc).
I guess if you've hosted your zone with the registrar, then that might be true. my opinion: Don't do that. Host your own zone, and/or use Dynamic DNS update (RFC3007), which is mature technology. There are some annoyances with TSIG until you realize that the key name really matters. > For instance, it would be possible to require users to add a short public key > in a DNS TXT record, then ask the ACME client to sign challenges with that key. > Something like this would significantly ease the development of ACME > clients. So, this would be be a client key challenge. This would not be dns-01. It could certainly work, but it would be a new effort. Maybe we could use SIG(0), I'm not sure. The question would be whether or not it would get implemented. > Are there specific reasons why dns-01 requires updating a DNS record? Yes, because it proves you control the zone. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme