On 9/13/2020 12:13 PM, Simon Ser wrote:
Ultimately, ACME clients need a way to update DNS records to solve the dns-01
challenge. Ignoring and pushing the problem down to the DNS operators does not
fix the root cause.
I can't agree more, so what about going after dns-02 challenge instead
of trying to fix this ?
(And this is up for discussion and as food for thought.)
Lets say dns-02 challenge will be little different where the DNS record
will hold a public key for specific(or per) domain/subdomain and ACME
client will pass the server challenge by using the correspondent private
key for that public key to pass the challenge from the server, where
server will verify against the DNS published public key, means no DNS
access from client side at the time of the challenge itself.
This might solve the need for DNS API or even accessing the DNS from the
client altogether, this will solve and simplify the challenge while do
not compromise the security of the challenge itself and will not
compromise the DNS records for the DNS administrators piece in mind, on
contrary it will give the ability to control DNS handling on the client
side in more secure way, and yet if a client have the ability to change
the public key then this will revert to something very similar to
dns-01, so in that case ( when it can access and modify the DNS records)
client can choose between dns-01 and dns-02, which i don't see need any
discussing more that dns-01 itself.
Is such challenge viable and secure ? did i missed something obvious
with such suggestion ?
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme