As authors of draft-sheth-identifiers-dns (included as an informative reference in draft-sheurich-acme-dns-persist), we are supportive of seeing this draft be adopted as it can help address challenges of using non-persistent approaches we see today.
One change we recommend would be to align the treatment of DNSSEC in this draft with the upcoming changes to draft-ietf-dnsop-domain-verification-techniques (DCV BCP) specified in https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/188/files. Any future version of draft-sheth-identifiers-dns will also align with this change. Adopting such language would change 7.7.1 of this draft from SHOULD validate DNSSEC signatures to a MUST use a DNSSEC validating resolver. From our perspective, it is important that if a domain name has opted to use DNSSEC that it continues to be protected by the security properties of DNSSEC. The cited text would not prevent non-DNSSEC enabled domain names from using dns-persist-01 or using multi-perspective validation as currently specified. Thanks! Swapneel Sheth From: Mike Ounsworth <[email protected]> Sent: Friday, September 26, 2025 11:13 AM To: IETF ACME <[email protected]> Subject: [EXTERNAL] [Acme] Call-for-Adoption for draft-sheurich-acme-dns-persist Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi ACME! This thread begins a two-week Call-for-Adoption for draft-sheurich-acme-dns-persist, which will end 2025-10-10. Please speak for or against adopting this document as a working group item. -Mike
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
