Hi all, Here is a summary of the changes in -01 and the topics we expect to address in -02.
Diff from -00: https://author-tools.ietf.org/iddiff?url1=draft-ietf-acme-dns-persist-00&url2=draft-ietf-acme-dns-persist-01 This revision includes the three changes presented at IETF 125: - decouple Account URI from record provisioning, enabling pre-provisioning - clarify case-handling rules - rename "Authorization Domain Name" to "Validation Domain Name" It also includes four editorial updates: - reorder the abstract and Section 1 use cases to lead with multi-tenant hosting and enterprise DNS environments - clarify in Section 9.6.1 that clients SHOULD use a DNSSEC-validating resolver, and state the consequence of not doing so - expand the wildcard examples in Sections 5 and 6 to include deep subdomains such as *.dept.example.com - clarify the Section 6 proper-suffix rule by referencing RFC 8555 Section 7.1.3 wildcard stripping and exempting the base-level wildcard We discussed four additional topics at IETF 125 that we are targeting for -02. No objections were raised during the session. - ancestor-domain selection for subdomain validation (#33 <https://github.com/ietf-wg-acme/draft-ietf-acme-dns-persist/issues/33>) - open questions are about the mechanism (new `adn` challenge response field vs RFC 9444 `ancestorDomain`) and BR label-pruning depth limits - remove the TTL validation ceiling (#42 <https://github.com/ietf-wg-acme/draft-ietf-acme-dns-persist/issues/42>) - IP validation via reverse DNS (#32 <https://github.com/ietf-wg-acme/draft-ietf-acme-dns-persist/issues/32>), since SC-91 passed - client-side persistUntil guidance (#38 <https://github.com/ietf-wg-acme/draft-ietf-acme-dns-persist/issues/38>) and dedicated error types (#39 <https://github.com/ietf-wg-acme/draft-ietf-acme-dns-persist/issues/39>) Our goal is to address these in -02 before IETF 126. Feedback on the topics above would be helpful. Thanks, Shiloh > On Mar 23, 2026, at 22:06, [email protected] wrote: > > Internet-Draft draft-ietf-acme-dns-persist-01.txt is now available. It is a > work item of the Automated Certificate Management Environment (ACME) WG of the > IETF. > > Title: Automated Certificate Management Environment (ACME) Challenge for > Persistent DNS TXT Record Validation > Authors: Shiloh Heurich > Henry Birge-Lee > Michael Slaughter > Name: draft-ietf-acme-dns-persist-01.txt > Pages: 30 > Dates: 2026-03-23 > > Abstract: > > This document specifies "dns-persist-01", a new validation method for > the Automated Certificate Management Environment (ACME) protocol. > This method allows a Certification Authority (CA) to verify control > over a domain by confirming the presence of a persistent DNS TXT > record containing CA and account identification information. This > method is particularly suited for environments where traditional > challenge methods are impractical, such as multi-tenant hosting > platforms, enterprise DNS environments, and IoT deployments. The > validation method is designed with a strong focus on security and > robustness, incorporating widely adopted industry best practices for > persistent domain control validation. This design aims to make it > suitable for Certification Authorities operating under various policy > environments, including those that align with the CA/Browser Forum > Baseline Requirements. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-01.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-acme-dns-persist-01 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
